murteza
/
blog.old
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

published: Digital Cleansing - Jitsi

This commit is contained in:
Ali Mürteza Yeşil 2020-07-18 23:13:07 +06:00
parent 965ded3974
commit 1832bd5c3b
23 changed files with 1153 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
content/blog/digital_cleansing_jitsi.md
View File

@ -3,8 +3,8 @@ date: 2020-07-18 00:00
tags: privacy, jitsi, 100DaysToOffload
category: tech
summary: My family and relatives live different countries and make good use of video calling services regardless of who is offering the service
status: draft
comment:
status: published
comment: https://fosstodon.org/@murtezayesil/104535970036319662
hundreddaystooffload: 5
My family is spread into 3 countries in 3 different continents. If we include my close relatives too, these numbers go even higher. It is important to stay in contact with your family and relatives in Turkish culture and we try to do that. Let it be weekend Zoom meetings (in 40 minute chunks :) or phone calls on WhatsApp (owned by Facebook), we heavily rely on third party services for communication. After launching NextCloud for my family to use, I what I wanted to tackle the __Communication__ problem.
@ -16,44 +16,94 @@ We have 3 kinds of communication needs in the family:
---
### Text Messaging & Voice Calls
I have been usign Telegram wherever I can for few years. Its UI is very similar to that of WhatsApp which I hope will ease the transition for my relatives. Since it also has voice calling, I don't need to look for another service for that. I love hitting two birds with one stone (only in metaphor) 😄️
I have been usign Telegram wherever I can for few years. Its UI is very similar to that of WhatsApp which I hope will ease the transition for my relatives. Since it also has voice calling, I don't need to look for another service for that. I love hitting two birds with one stone (only in metaphor) 😄️
That being said, I won't actually talk much about WhatsApp. Facebook bought WhatsApp back in February 2014. I believe that was a great deal for Facebook and a terrible deal for users.
I know I mentioned Telegram but there is one more great alternative to WhatsApp (or even Telegram). It is called [Signal](https://signal.org/ "Official page") and it is developed by a non-profit founded by Co-founder of WhatsApp, Brian Acton. It is one freaking secure messaging app 😎️
---
### Group Video Calls
We still need a trustable video calling service provider though. Current choice of my family is Zoom, just like millions of other people who needed a video calling service for remote work, distance education and calling their loved ones. But Zoom seemingly popped out of nowhere for many people. I wanted to learn more about who Zoom is and how trustable it is. I hope my findings will help you to make educated decisions.
My families' and relatives' current choice of Group Video Calling service is Zoom, just like millions of other people who needed a video calling service for remote work, distance education and calling their loved ones. But Zoom seemingly popped out of nowhere for many people. I wanted to learn more about who Zoom is and how trustable it is. I hope my findings will help you to make educated decisions.
Zoom was [launched in September 2012](https://en.wikipedia.org/wiki/Zoom_(software)#History "History of Zoom on Wikipedia"), reached [1 Million user base in January 2013](https://www.tmcnet.com/topics/articles/2013/05/23/339279-zoom-video-communications-reaches-1-million-participants.htm "Zoom Video Communications Reaches 1 Million Participants - TMCnet") and rapidly grow during global quarantine to a point that Zoom got [2.13 Million downloads on March 23 2020](https://web.archive.org/web/20200422125131/https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak "Zoom booms as demand for video-conferencing tech grows - The Guardian [archive]").
Zoom was [launched in September 2012](https://en.wikipedia.org/wiki/Zoom_(software)#History "History of Zoom on Wikipedia"), reached [1 Million user base in January 2013](https://www.tmcnet.com/topics/articles/2013/05/23/339279-zoom-video-communications-reaches-1-million-participants.htm "Zoom Video Communications Reaches 1 Million Participants - TMCnet") and rapidly grow during global quarantine to a point that Zoom got [2.13 Million downloads on March 23rd 2020](https://web.archive.org/web/20200422125131/https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak "Zoom booms as demand for video-conferencing tech grows - The Guardian [archive]").
Given that Zoom reached 1 Million userbase within 5 months (from September 2012 to January 2013) and they were a subscription based service that cost 9.99$/month, it was a profitable business. I expect such company to invest into infrastructure and app security. I am saying this because they clearly had time to fix issues in their apps before the pandemic arrived.
After some research (reading Wikipedia) I found that Zoom had many wounds that hurt many of its users. Given that Zoom reached 1 Million userbase 5 months after launching (from September 2012 to January 2013) and they were charging 9.99$/month, I expect Zoom to invest into infrastructure and app security. I am saying this because they clearly had time to fix issues in their apps before the pandemic arrived. Here are few examples to show how Zoom messed up:
__Windows__ : [Attackers can use Zoom to steal users Windows credentials with no warning - ars technica](https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/)
__MacOS__ : [Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking - threat post](https://threatpost.com/zoom-zero-day-mac-webcam-hijacking/146317/). This prompted Apple to use its MRT (Malware Removal Tool) to remotely delete Zoom from Mac computers.
__MacOS__ : [Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! - InfoSec Write-ups](https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5) allowing Zoom to reinstall itself after being uninstalled and join a video call with camera activated without user's permission.
__MacOS__ : [Zoom App installation uses the same method used by malwares to gain root priviledges](https://nitter.net/c1truz_/status/1244737672930824193)
__MacOS__ : [Zoom App installation uses the same method used by malwares to gain root priviledges - Twitter thread on Nitter](https://nitter.net/c1truz_/status/1244737672930824193)
__iOS__ : [Zoom iOS App Sends Data to Facebook Even if You Dont Have a Facebook Account - Vice](https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account)
__Android__ :
__Android__ : I didn't find any news about Zoom Android App vulnerabilities. But if they used Facebook tracker in iOS app, I don't see any reason why zoom wouldn't use the same on Android
__Linux__ : No vulnerability was found YET. Remember that [Linux desktop has a small marketshare](https://netmarketshare.com/operating-system-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222019-08%22%2C%22dateEnd%22%3A%222020-06%22%2C%22plotKeys%22%3A%5B%7B%22platform%22%3A%22Linux%22%7D%2C%7B%22platform%22%3A%22Mac%20OS%22%7D%2C%7B%22platform%22%3A%22Chrome%20OS%22%7D%5D%2C%22segments%22%3A%22-1000%22%7D "Less than 4%") and apps for it are less likely to be targeted by hackers.
> "Zoom has just had so many missteps."
> - Patrick Wardle, Jamf
You can read about Zoom's vulnerabilities on MacOS and iOS in detail in [this blog post of Objective-See](https://objective-see.com/blog/blog_0x56.html "The 'S' in Zoom, Stands for Security - Objective-See").
These issues were __FIXED__ by Zoom. But some of them took long time as if Zoom didn't really care about the user privacy and security. Not to mention, God knows when they would start working on fixing vulnerabilities if it wasn't for public backlash.
These issues were __FIXED__ by Zoom. But Zoom took long time to responde some of the cyber security personel as if it didn't care about the user privacy and security. I only mentioned the vulnerabilities in Zoom's apps. Zoom also [contributed to censorship](https://www.axios.com/zoom-closes-chinese-user-account-tiananmen-square-f218fed1-69af-4bdd-aac4-7eaf67f34084.html "Zoom closed account of U.S.-based Chinese activist “to comply with local law” - Axios") by closing human rights activist Zhou Fengsuo's paid account and closing Social activist Lee Cheuk Yan's account upon China's request.
Since those vulnerabilities are fixed it should be safe to use, right?
Unfortunately, NO. They changed their privacy policy for better but not assuring enough.
👉️ Since those vulnerabilities are fixed it should be safe to use Zoom, right?
Unfortunately, NO. Even if apps became less vulnerable, users still are through weak privacy practices and use of third party trackers. Zoom's Privacy Policy is [not assuring enough](https://zoom.us/privacy#_Toc44414842).
They introduced end-to-end encryption, E2EE. Is it insecure encryption?
AES-256 ECB is one of the greatest encryption algorithms out there. But it isn't enabled by default and enabling E2EE disables many features such as screensharing, which doesn't incentivise people to use it. Both enterprise customers and teachers would want to use screensharing, thus not using E2EE.
👉️ They introduced end-to-end encryption, E2EE. Is it insecure encryption?
AES-256 ECB algorithm used for E2EE is one of the greatest encryption algorithms out there. But it isn't enabled by default and enabling E2EE disables many features such as screensharing, which doesn't incentivise people to use E2EE. Both enterprise customers and teachers would want to use screensharing, thus not using E2EE.
👉️ They say Zoom encrypts every meeting by default. Are they lying?
No, they are not. But they aren't telling the whole story either. When you start a Zoom meeting, your device establishes a connection to Zoom over [HTTPS](https://en.wikipedia.org/wiki/Https#Security). Meaning data is encrypted during transmission between you and Zoom. Data gets decrypted in Zoom and encrypted again before it goes to whoever you are meeting with. This is done because everybody in the meeting has different [session key](https://en.wikipedia.org/wiki/Session_key) for encryption. Your meeting is apparent to Zoom, not hidden from it.
👉️ Zoom has faced [0-day attacks](https://en.wikipedia.org/wiki/Zero-day_(computing) "Learn about zero day attacks on Wikipedia") which weren't fair.
Not a question but I get your point. When a cyber security personal discovers a vulnerability, (s)he informs the vendor about the vulnerability in disguise and asks for bounty. Vendor checks if that is a legit vulnerability or a scam. Then they work together to fix the issue and vendor pays the bounty. Many companies have a [bug](https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html "Intel offers upto 100,000$") [bounty](https://hackerone.com/verizonmedia?type=team "Verizon offers upto 15,000$") [program](https://www.microsoft.com/en-us/msrc/bounty "Microsoft offers upto 100,000$").
A cyber security personal may choose to release the vulnerability to public for it to be exploited by other people, which turns a vulnerability into zero day attack. This action incentivises vendor to fix that issue immediately since issue became well-known.
Zoom had time since 2013 for testing its softwares properly. Proper testing would uncover those bugs before hackers did. Any company that is careless about security and privacy of its customers' deserves to be pinched to start acting.
What if I am forced to Zoom by my employer/school/family?
Desktop/laptop users:
1. Windows: Use virtual machine and apply one of the below Linux methods
2. MacOS: Use virtual machine and apply one of the below Linux methods
3. Linux: Install Linux Live image on a USB and boot into it everytime you need to Zoom. Install Zoom into that Live environment. Zoom will only be able to access what is in that Live environment. Shutting down a Live environment deletes everything that was installed in that session.
4. Linux: [Install Zoom into a firejail](https://ar.al/2020/06/25/how-to-use-the-zoom-malware-safely-on-linux-if-you-absolutely-have-to/ "How to use the Zoom malware safely on Linux if you absolutely have to - Aral Balkan"), greatly limiting what it can reach.
Mobile users:
1. Android: [Create a restricted user](https://www.howtogeek.com/333484/how-to-set-up-multiple-user-profiles-on-android/ "This process maybe different for different brands") on your phone and install Zoom there. Not in your main user.
2. Android: If you can, use Zoom on Linux as described above.
3. iOS: Don't give it permissions if you don't need them. Don't let it run in background. Uninstall after using.
4. iOS: If you can, use Zoom on Linux as described above.
PS: I don't own a Mac, iPhone or Windows PC. But since Zoom on those platforms seem to be the affected most, I recommend everybody to use Zoom on Linux in a firejail if you absolutely have to.
I also wanted to read articles [that](https://medium.com/@rowantrollope/beyond-the-noise-7-reasons-its-safe-to-run-zoom-9a2e639b13ec) [defend](https://blog.prialto.com/3-reasons-why-zoom-provides-the-best-video-conferencing-software) [Zoom](https://www.forbes.com/sites/rebeccabellan/2020/03/24/what-you-need-to-know-about-using-zoom/#3cee9d0d3284). But they are mostly talking about Zoom's E2EE feature (that is not default), how people got creative with Virtual Background feature, Zoom's clean UI, ability to fake paying attention and its price. They either say nothing about Zooms privacy policy or even if they say something, it is not assuring in my opinion.
---
# Jitsi
Jitsi is an open source alternative to Video Calling (Conferencing) services. I will prove that Jitsi is much better than Zoom with only 1 sentence.
<h1 style="text-align: center;">You can host Jitsi on your own server without relying on another entity</h1>
You want more?
1. Jitsi has Clean UI that is familiar to that of Zoom.
2. Jitsi __doesn't__ have looping video feature which helps students or emplyees fake paying attention.
3. Jitsi is <strong title="Free Open Source Software">FOSS</strong> developed by [8x8](https://8x8.com).
4. Hosting Jitsi doesn't require a server with powerful CPU or GPU. Important resource is bandwidth.
- Jitsi doesn't have virtual background but it instead has background blurring in development.
👉️ Is it truely E2EE?
__This is what I understood from reading [this threat](https://github.com/jitsi/jitsi-meet/issues/409#issuecomment-260652107). Please correct me if I am wrong__
Short answer is No.
Long answer is: Just like in Zoom's case, connection between users and Jitsi VideoBridge (server) is encrypted. Server decrypts and encrypts everybody's stream for everybody else. But by having the control of Jitsi VideoBridge (server) by hosting it on your own server, you can assure that no other company/organization is holding your plain data except the recepient you are meeting with.
That being said, Jitsi can establish P2P connection in rooms where there are only 2 people. This is a feature of WebRTC that Jitsi is built upon. It still __isn't__ true E2EE.
👉️ Do anyone even use it?
Glad you ask. Many companies banned use of Zoom and switched to alternatives such as Microsoft Teams, Skype, Hangout Meet and Jitsi. You probably won't see Jitsi's UI very often in the wild, but many companies use Jitsi VideoBridge as their backend for video conferences. Out of all the alternatives, only Jitsi allows self-hosting of server (Jitsi VideoBridge) AFAIK.
## How to install Jitsi server?
I followed __Nerd on the Street__'s [Host a Jitsi Meet Server](https://invidio.us/watch?v=IQRwtUamHQU) installation tutorial. It took about 30 minute of my time (I am a noob) to get the server running. It takes another 10 minutes to secure it.
---
When I started thus blog post, I didn'y expect it to turn into a rant about
When I started this blog post, I expected to list 2 reasons not to use WhatsApp and Zoom then start talking about why Jitsi is the answer to my family's Group Video Calling needs. To fact check what I knew about about them (Zoom in particular) I searched them on [Wikipedia](https://en.wikipedia.org/wiki/Zoom_(software) "Read more about Zoom on WikiPedia"). I learned much more than I expected. I am sorry for turning this post into "Rant of Zoom". I hope you learned a thing or two too.
I wanted to learn about Having 1 Million users since 2013 and not testing your softwares throughly for vulnerabilities is bad. Through Zoom, [attackers were stealing users' Windows credentials](https://web.archive.org/web/20200401220504/https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/ "Attackers can use Zoom to steal users Windows credentials with no warning - ars technica [archive]"), [Zoom MacOS client vulnerabilities](https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5 "Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! - InfoSec Write-Ups on Medium") that [can force MacOS users to join Zoom meeting with camera open and even reinstall Zoom after being uninstalled](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13450 - CVE), [send iOS users' data to Facebook](https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account "Zoom iOS App Sends Data to Facebook Even if You Dont Have a Facebook Account - Vice"),
I know there wasn't much pressure on Zoom before the pandemic and they weren't well known company. Therefore independent cyber security researchers didn't test on Zoom's vulnerabilities. But Zoom should have hired cyber security folks and get their software tested much more firmly. Zoom was a company prioritizing user convenience over user privacy and data security.
--- previous attempts #1 ---
Of course our communications isn't only through voice and video calls. We have a family group on WhatsApp. And when I say family group, this includes my close relatives too. It won't be easy to convince everybody to switch to a more secure alternative such as Telegram. Especially my grandparents are having hard time whenever they need to learn something new.
---
### Other side of the coin
If you think I would be better of sticking to WhatsApp or Zoom, tell me more. Even though I read many negative things about Zoom, I will try my best to keep an open mind and hear people seeing other side of the coin. I am a human and can make mistakes. If there is something important I should know to better understand what is going on, please reply to comment toot linked below.

4
output/archives.html
View File

@ -40,7 +40,7 @@
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->
@ -48,6 +48,8 @@
<h1>Archives for Ali Murteza Yesil</h1>
<dl>
<dt>Sat 18 July 2020</dt>
<dd><a href="https://murtezayesil.me/digital-cleansing-jitsi.html">Digital Cleansing - Jitsi</a></dd>
<dt>Thu 16 July 2020</dt>
<dd><a href="https://murtezayesil.me/digital-cleansing-nextcloud.html">Digital Cleansing - NextCloud</a></dd>
<dt>Tue 14 July 2020</dt>

139
output/author/ali-murteza-yesil.html
View File

@ -40,49 +40,126 @@
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->
<aside id="featured" class="body">
<article>
<h1 class="entry-title"><a href="https://murtezayesil.me/digital-cleansing-nextcloud.html">Digital Cleansing - NextCloud</a></h1>
<h1 class="entry-title"><a href="https://murtezayesil.me/digital-cleansing-jitsi.html">Digital Cleansing - Jitsi</a></h1>
<footer class="post-info">
<span>Sat 18 July 2020</span>
<span>| in <a href="https://murtezayesil.me/category/tech.html">tech</a></span>
<span>| tags: <a href="https://murtezayesil.me/tag/privacy.html">privacy</a><a href="https://murtezayesil.me/tag/jitsi.html">jitsi</a><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a></span> <span>| Day <strong>5</strong> of #100DaysToOffload</span>
</footer><!-- /.post-info --><p>My family is spread into 3 countries in 3 different continents. If we include my close relatives too, these numbers go even higher. It is important to stay in contact with your family and relatives in Turkish culture and we try to do that. Let it be weekend Zoom meetings (in 40 minute chunks :) or phone calls on WhatsApp (owned by Facebook), we heavily rely on third party services for communication. After launching NextCloud for my family to use, I what I wanted to tackle the <strong>Communication</strong> problem.</p>
<p>We have 3 kinds of communication needs in the family:<br>
1. Text messages<br>
2. Voice Calls<br>
3. (Mostly group) Video Calls</p>
<hr>
<h3>Text Messaging &amp; Voice Calls</h3>
<p>I have been usign Telegram wherever I can for few years. Its UI is very similar to that of WhatsApp which I hope will ease the transition for my relatives. Since it also has voice calling, I don't need to look for another service for that. I love hitting two birds with one stone (only in metaphor) 😄️ <br>
That being said, I won't actually talk much about WhatsApp. Facebook bought WhatsApp back in February 2014. I believe that was a great deal for Facebook and a terrible deal for users.<br>
I know I mentioned Telegram but there is one more great alternative to WhatsApp (or even Telegram). It is called <a href="https://signal.org/" title="Official page">Signal</a> and it is developed by a non-profit founded by Co-founder of WhatsApp, Brian Acton. It is one freaking secure messaging app 😎️</p>
<hr>
<h3>Group Video Calls</h3>
<p>My families' and relatives' current choice of Group Video Calling service is Zoom, just like millions of other people who needed a video calling service for remote work, distance education and calling their loved ones. But Zoom seemingly popped out of nowhere for many people. I wanted to learn more about who Zoom is and how trustable it is. I hope my findings will help you to make educated decisions.</p>
<p>Zoom was <a href="https://en.wikipedia.org/wiki/Zoom_(software)#History" title="History of Zoom on Wikipedia">launched in September 2012</a>, reached <a href="https://www.tmcnet.com/topics/articles/2013/05/23/339279-zoom-video-communications-reaches-1-million-participants.htm" title="Zoom Video Communications Reaches 1 Million Participants - TMCnet">1 Million user base in January 2013</a> and rapidly grow during global quarantine to a point that Zoom got <a href="https://web.archive.org/web/20200422125131/https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak" title="Zoom booms as demand for video-conferencing tech grows - The Guardian [archive]">2.13 Million downloads on March 23rd 2020</a>.</p>
<p>After some research (reading Wikipedia) I found that Zoom had many wounds that hurt many of its users. Given that Zoom reached 1 Million userbase 5 months after launching (from September 2012 to January 2013) and they were charging 9.99$/month, I expect Zoom to invest into infrastructure and app security. I am saying this because they clearly had time to fix issues in their apps before the pandemic arrived. Here are few examples to show how Zoom messed up:<br>
<strong>Windows</strong> : <a href="https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/">Attackers can use Zoom to steal users Windows credentials with no warning - ars technica</a><br>
<strong>MacOS</strong> : <a href="https://threatpost.com/zoom-zero-day-mac-webcam-hijacking/146317/">Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking - threat post</a>. This prompted Apple to use its MRT (Malware Removal Tool) to remotely delete Zoom from Mac computers.<br>
<strong>MacOS</strong> : <a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5">Zoom Zero Day: 4+ Million Webcams &amp; maybe an RCE? Just get them to visit your website! - InfoSec Write-ups</a> allowing Zoom to reinstall itself after being uninstalled and join a video call with camera activated without user's permission.<br>
<strong>MacOS</strong> : <a href="https://nitter.net/c1truz_/status/1244737672930824193">Zoom App installation uses the same method used by malwares to gain root priviledges - Twitter thread on Nitter</a><br>
<strong>iOS</strong> : <a href="https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account">Zoom iOS App Sends Data to Facebook Even if You Dont Have a Facebook Account - Vice</a><br>
<strong>Android</strong> : I didn't find any news about Zoom Android App vulnerabilities. But if they used Facebook tracker in iOS app, I don't see any reason why zoom wouldn't use the same on Android
<strong>Linux</strong> : No vulnerability was found YET. Remember that <a href="https://netmarketshare.com/operating-system-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222019-08%22%2C%22dateEnd%22%3A%222020-06%22%2C%22plotKeys%22%3A%5B%7B%22platform%22%3A%22Linux%22%7D%2C%7B%22platform%22%3A%22Mac%20OS%22%7D%2C%7B%22platform%22%3A%22Chrome%20OS%22%7D%5D%2C%22segments%22%3A%22-1000%22%7D" title="Less than 4%">Linux desktop has a small marketshare</a> and apps for it are less likely to be targeted by hackers.</p>
<blockquote>
<p>"Zoom has just had so many missteps."
- Patrick Wardle, Jamf</p>
</blockquote>
<p>You can read about Zoom's vulnerabilities on MacOS and iOS in detail in <a href="https://objective-see.com/blog/blog_0x56.html" title="The 'S' in Zoom, Stands for Security - Objective-See">this blog post of Objective-See</a>. </p>
<p>These issues were <strong>FIXED</strong> by Zoom. But Zoom took long time to responde some of the cyber security personel as if it didn't care about the user privacy and security. I only mentioned the vulnerabilities in Zoom's apps. Zoom also <a href="https://www.axios.com/zoom-closes-chinese-user-account-tiananmen-square-f218fed1-69af-4bdd-aac4-7eaf67f34084.html" title="Zoom closed account of U.S.-based Chinese activist “to comply with local law” - Axios">contributed to censorship</a> by closing human rights activist Zhou Fengsuo's paid account and closing Social activist Lee Cheuk Yan's account upon China's request.</p>
<p>👉️ Since those vulnerabilities are fixed it should be safe to use Zoom, right?<br>
Unfortunately, NO. Even if apps became less vulnerable, users still are through weak privacy practices and use of third party trackers. Zoom's Privacy Policy is <a href="https://zoom.us/privacy#_Toc44414842">not assuring enough</a>.</p>
<p>👉️ They introduced end-to-end encryption, E2EE. Is it insecure encryption?<br>
AES-256 ECB algorithm used for E2EE is one of the greatest encryption algorithms out there. But it isn't enabled by default and enabling E2EE disables many features such as screensharing, which doesn't incentivise people to use E2EE. Both enterprise customers and teachers would want to use screensharing, thus not using E2EE.</p>
<p>👉️ They say Zoom encrypts every meeting by default. Are they lying?<br>
No, they are not. But they aren't telling the whole story either. When you start a Zoom meeting, your device establishes a connection to Zoom over <a href="https://en.wikipedia.org/wiki/Https#Security">HTTPS</a>. Meaning data is encrypted during transmission between you and Zoom. Data gets decrypted in Zoom and encrypted again before it goes to whoever you are meeting with. This is done because everybody in the meeting has different <a href="https://en.wikipedia.org/wiki/Session_key">session key</a> for encryption. Your meeting is apparent to Zoom, not hidden from it.</p>
<p>👉️ Zoom has faced <a href="https://en.wikipedia.org/wiki/Zero-day_(computing)" title="Learn about zero day attacks on Wikipedia">0-day attacks</a> which weren't fair.<br>
Not a question but I get your point. When a cyber security personal discovers a vulnerability, (s)he informs the vendor about the vulnerability in disguise and asks for bounty. Vendor checks if that is a legit vulnerability or a scam. Then they work together to fix the issue and vendor pays the bounty. Many companies have a <a href="https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html" title="Intel offers upto 100,000$">bug</a> <a href="https://hackerone.com/verizonmedia?type=team" title="Verizon offers upto 15,000$">bounty</a> <a href="https://www.microsoft.com/en-us/msrc/bounty" title="Microsoft offers upto 100,000$">program</a>.<br>
A cyber security personal may choose to release the vulnerability to public for it to be exploited by other people, which turns a vulnerability into zero day attack. This action incentivises vendor to fix that issue immediately since issue became well-known.<br>
Zoom had time since 2013 for testing its softwares properly. Proper testing would uncover those bugs before hackers did. Any company that is careless about security and privacy of its customers' deserves to be pinched to start acting.</p>
<p>What if I am forced to Zoom by my employer/school/family?<br>
Desktop/laptop users:<br>
1. Windows: Use virtual machine and apply one of the below Linux methods<br>
2. MacOS: Use virtual machine and apply one of the below Linux methods<br>
3. Linux: Install Linux Live image on a USB and boot into it everytime you need to Zoom. Install Zoom into that Live environment. Zoom will only be able to access what is in that Live environment. Shutting down a Live environment deletes everything that was installed in that session.<br>
4. Linux: <a href="https://ar.al/2020/06/25/how-to-use-the-zoom-malware-safely-on-linux-if-you-absolutely-have-to/" title="How to use the Zoom malware safely on Linux if you absolutely have to - Aral Balkan">Install Zoom into a firejail</a>, greatly limiting what it can reach.<br>
Mobile users:<br>
1. Android: <a href="https://www.howtogeek.com/333484/how-to-set-up-multiple-user-profiles-on-android/" title="This process maybe different for different brands">Create a restricted user</a> on your phone and install Zoom there. Not in your main user.
2. Android: If you can, use Zoom on Linux as described above.
3. iOS: Don't give it permissions if you don't need them. Don't let it run in background. Uninstall after using.
4. iOS: If you can, use Zoom on Linux as described above.</p>
<p>PS: I don't own a Mac, iPhone or Windows PC. But since Zoom on those platforms seem to be the affected most, I recommend everybody to use Zoom on Linux in a firejail if you absolutely have to.</p>
<p>I also wanted to read articles <a href="https://medium.com/@rowantrollope/beyond-the-noise-7-reasons-its-safe-to-run-zoom-9a2e639b13ec">that</a> <a href="https://blog.prialto.com/3-reasons-why-zoom-provides-the-best-video-conferencing-software">defend</a> <a href="https://www.forbes.com/sites/rebeccabellan/2020/03/24/what-you-need-to-know-about-using-zoom/#3cee9d0d3284">Zoom</a>. But they are mostly talking about Zoom's E2EE feature (that is not default), how people got creative with Virtual Background feature, Zoom's clean UI, ability to fake paying attention and its price. They either say nothing about Zooms privacy policy or even if they say something, it is not assuring in my opinion.</p>
<hr>
<h1>Jitsi</h1>
<p>Jitsi is an open source alternative to Video Calling (Conferencing) services. I will prove that Jitsi is much better than Zoom with only 1 sentence.</p>
<h1 style="text-align: center;">You can host Jitsi on your own server without relying on another entity</h1>
<p>You want more?</p>
<ol>
<li>Jitsi has Clean UI that is familiar to that of Zoom. </li>
<li>Jitsi <strong>doesn't</strong> have looping video feature which helps students or emplyees fake paying attention. </li>
<li>Jitsi is <strong title="Free Open Source Software">FOSS</strong> developed by <a href="https://8x8.com">8x8</a>. </li>
<li>
<p>Hosting Jitsi doesn't require a server with powerful CPU or GPU. Important resource is bandwidth. </p>
</li>
<li>
<p>Jitsi doesn't have virtual background but it instead has background blurring in development.</p>
</li>
</ol>
<p>👉️ Is it truely E2EE?<br>
<strong>This is what I understood from reading <a href="https://github.com/jitsi/jitsi-meet/issues/409#issuecomment-260652107">this threat</a>. Please correct me if I am wrong</strong><br>
Short answer is No.<br>
Long answer is: Just like in Zoom's case, connection between users and Jitsi VideoBridge (server) is encrypted. Server decrypts and encrypts everybody's stream for everybody else. But by having the control of Jitsi VideoBridge (server) by hosting it on your own server, you can assure that no other company/organization is holding your plain data except the recepient you are meeting with.<br>
That being said, Jitsi can establish P2P connection in rooms where there are only 2 people. This is a feature of WebRTC that Jitsi is built upon. It still <strong>isn't</strong> true E2EE.</p>
<p>👉️ Do anyone even use it?<br>
Glad you ask. Many companies banned use of Zoom and switched to alternatives such as Microsoft Teams, Skype, Hangout Meet and Jitsi. You probably won't see Jitsi's UI very often in the wild, but many companies use Jitsi VideoBridge as their backend for video conferences. Out of all the alternatives, only Jitsi allows self-hosting of server (Jitsi VideoBridge) AFAIK.</p>
<h2>How to install Jitsi server?</h2>
<p>I followed <strong>Nerd on the Street</strong>'s <a href="https://invidio.us/watch?v=IQRwtUamHQU">Host a Jitsi Meet Server</a> installation tutorial. It took about 30 minute of my time (I am a noob) to get the server running. It takes another 10 minutes to secure it.</p>
<hr>
<p>When I started this blog post, I expected to list 2 reasons not to use WhatsApp and Zoom then start talking about why Jitsi is the answer to my family's Group Video Calling needs. To fact check what I knew about about them (Zoom in particular) I searched them on <a href="https://en.wikipedia.org/wiki/Zoom_(software)" title="Read more about Zoom on WikiPedia">Wikipedia</a>. I learned much more than I expected. I am sorry for turning this post into "Rant of Zoom". I hope you learned a thing or two too.</p>
<hr>
<h3>Other side of the coin</h3>
<p>If you think I would be better of sticking to WhatsApp or Zoom, tell me more. Even though I read many negative things about Zoom, I will try my best to keep an open mind and hear people seeing other side of the coin. I am a human and can make mistakes. If there is something important I should know to better understand what is going on, please reply to comment toot linked below.</p><!-- Comments -->
<hr>
<h2>Comments</h2>
<p>Toot on <a href="https://fosstodon.org/@murtezayesil/104535970036319662">this thread</a> to comment. This blog is a static site. Comments won't appear here.</p>
</article>
</aside><!-- /#featured -->
<section id="content" class="body">
<h1>Other articles</h1>
<ol id="posts-list" class="hfeed">
<li><article class="hentry">
<header>
<h1><a href="https://murtezayesil.me/digital-cleansing-nextcloud.html" rel="bookmark"
title="Permalink to Digital Cleansing - NextCloud">Digital Cleansing - NextCloud</a></h1>
</header>
<div class="entry-content">
<footer class="post-info">
<span>Thu 16 July 2020</span>
<span>| in <a href="https://murtezayesil.me/category/tech.html">Tech</a></span>
<span>| tags: <a href="https://murtezayesil.me/tag/privacy.html">privacy</a><a href="https://murtezayesil.me/tag/nextcloud.html">nextcloud</a><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a></span> <span>| Day <strong>4</strong> of #100DaysToOffload</span>
</footer><!-- /.post-info --><p>This article reflects my opinions and experiences with few file server services.</p>
<p>TL;DR : I think NextCloud is a far superior product for the price.</p>
<p>Digital cleansing is about reowning personal data and regaining control over how it is processed. When I started digital cleansing, I wanted to start from where the most of my data is stored. There are 2 such services, Google Drive and Photos. I started by looking for <a href="https://alternativeto.net/software/google-drive/">alternatives</a>. OwnCloud and NextCloud seemed like <strong>affordable</strong> and <strong title="Free Open Source Software">FOSS</strong> alternatives that allow <strong title="Can be hosted on personal (or home) computer/server without relying on another service provider">self-hosting</strong>.</p>
<hr>
<h2>Owncloud</h2>
<p>I started my journey by renting a VM on Digital Ocean, droplet. I installed <a href="https://en.wikipedia.org/wiki/LAMP_(software_bundle)" title="Minimum set of softwares needed for a working web service">LAMP stack</a> and <a href="https://en.wikipedia.org/wiki/OwnCloud" title="File server service">OwnCloud</a>. As a new comer to OwnCloud, I started to click every button in every menu to discover and learn more about OwnCloud. <a href="https://marketplace.owncloud.com/">Marketplace</a>, a feature manager to add/remove more features, has many stuff that can appeal to enterprises and teams working from home. Next, I browsed the <a href="https://search.f-droid.org/?q=owncloud" title="Apps for OwnCloud on F-droid">available Android apps for OwnCloud</a>. To my surprise, there aren't many. I expected niche apps on Android for using niche features on marketplace. Instead, I would run into more <a href="https://search.f-droid.org/?q=nextcloud" title="Apps for NextCloud on F-droid">apps branded for NextCloud</a>. Meanwhile I updated the droplet, because updates are important, but ran into "kernel updates rendering server unbootable" kind of issues, I switched to Linode and NextCloud after strugling on Digital Ocean for a week.</p>
<p>Just like Owncloud's marketplace, NextCloud has its own "app store", I'd like to them "feature manager" instead because both marketplace and app store are used for en/disabling features on the platform. But NextCloud has niche apps for Android and I believe this provides more convenience to mobile users like myself.</p>
<hr>
<h2>NextCloud</h2>
<p>Since NextCloud is a file server in its core, it was the drop-in Google Drive &amp; Photos replacement I needed. It also has built-in <a href="https://en.wikipedia.org/wiki/WebDAV" title="Protocol for using remote file system over HTTP">WebDAV</a>, <a href="https://en.wikipedia.org/wiki/CardDAV" title="vCard (contact info) extension for WebDAV">CardDAV</a> and <a href="https://en.wikipedia.org/wiki/CalDAV" title="Calendar extension for WebDAV">CalDAV</a> support, which means I can use NextCloud as Google Contacts &amp; Calendar replacement as well and access files in native file manager as if it was a USB drive 🎉️</p>
<p>After enabling more services from feature manager (yes, I am sticking with this name) it also became my notes, tasks, bookmarks manager as well. All powered by a VM that costs 5$/month to run, +2$ for backup.</p>
<blockquote>
<p>One who loves roses should endure thorns - Turkish Proverb</p>
</blockquote>
<p>NextCloud is great. But just like every other artificial thing in this world, it isn't perfect. The biggest problem I face with it is the <strong>performance</strong> of web interface. It is written in PHP and being not compiled program is not doing any favors. Image preview loading can be called sluggish by many. Since I use mobile app most of the time which caches the previews, user experience isn't bad in my opinion.</p>
<hr>
<p><a href="https://kevq.uk" title="his blog">Kev Quirk</a> wrote a blog about his opinions and experiences with <strong title="My current choice of file server solution">NextCloud</strong> and <strong title="His choice of home server solution">Synology</strong>. This is my answer to <a href="https://kevq.uk/synology-vs-nextcloud-which-is-better-for-a-home-server/" title="Synology vs Nextcloud Which Is Better For A Home Server?">his blog</a>.</p>
<p>Synology's home server sound like a great product. I am happy for you and your family that your data is safe and accesible without giving up your privacy. After reading your blog, I wanted to try Synology as well. Upon seeing the price for <a href="https://www.newegg.com/synology-ds420/p/N82E16822108744" title="4 HDD bay NAS for home/small business use (disks not included)">Synology 420+</a> is 500$ and another 400$ for 4x <a href="https://www.newegg.com/seagate-ironwolf-st4000vn008-4tb/p/N82E16822179005" title="SeaGate NAS HDD">4TB HDD</a> for RAID 6, I believe NextCloud is the best choice I have. I am 1 student who has no movies, musics, 4K family photos or video project for YouTube channel to utilize TBs of storage not do I have budget for it. Under these requirements and constraints, I want to offer an alternative to Google to my family. Since I can't just ask for ~900$ for Synology, NextCloud on a VM is the best option I have. I still have option of increasing VM disk size or mounting external block storage as our storage needs grow.</p>
<p>It is nice that we have different perspectives on same topic. I wrote this answer because I wanted you to see from the eyes of a student living on pocket money and still afford for privacy of his and his family. May your Synology system last long and serve your family well 🙂️</p>
<hr>
<p>If you think Google services aren't that bad and I would be better off keep using Google services, <a href="https://tosdr.org/#google">here is my reasoning #1</a> and <a href="https://www.reuters.com/article/us-alphabet-google-privacy-lawsuit/google-faces-lawsuit-over-tracking-in-apps-even-when-users-opted-out-idUSKCN24F2N4" title="Google faces lawsuit over tracking in apps even when users opted out - Reuters">#2</a>. But if you still think that I should use Google services, tell me your reasoning and help me see your side of the coin. I would like to stay open minded.</p><!-- Comments -->
<hr>
<h2>Comments</h2>
<p>Toot on <a href="https://fosstodon.org/@murtezayesil/104521563799892039">this thread</a> to comment. This blog is a static site. Comments won't appear here.</p>
</article>
</aside><!-- /#featured -->
<section id="content" class="body">
<h1>Other articles</h1>
<ol id="posts-list" class="hfeed">
</footer><!-- /.post-info --> </div><!-- /.entry-content -->
</article></li>
<li><article class="hentry">
<header>

4
output/authors.html
View File

@ -40,13 +40,13 @@
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->
<section id="content" class="body">
<h1>Authors on Ali Murteza Yesil</h1> <li><a href="https://murtezayesil.me/author/ali-murteza-yesil.html">Ali Murteza Yesil</a> (4)</li>
<h1>Authors on Ali Murteza Yesil</h1> <li><a href="https://murtezayesil.me/author/ali-murteza-yesil.html">Ali Murteza Yesil</a> (5)</li>
</section>
<section id="extras" class="body">

4
output/categories.html
View File

@ -40,13 +40,13 @@
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->
<h1>Categories on Ali Murteza Yesil</h1>
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">Tech</a> (4)</li>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a> (5)</li>
</ul>
<section id="extras" class="body">
<div class="blogroll">

141
output/category/tech.html
View File

@ -2,7 +2,7 @@
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Ali Murteza Yesil - Tech</title>
<title>Ali Murteza Yesil - tech</title>
<link rel="stylesheet" href="https://murtezayesil.me/theme/css/main.css" />
<link href="https://murtezayesil.me/feeds/atom.xml" type="application/atom+xml" rel="alternate" title="Ali Murteza Yesil Atom Feed" />
<link href="https://murtezayesil.me/feeds/rss.xml" type="application/rss+xml" rel="alternate" title="Ali Murteza Yesil RSS Feed" />
@ -40,49 +40,126 @@
</nav>
<div id="submenu">
<ul>
<li class="active"><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li class="active"><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->
<aside id="featured" class="body">
<article>
<h1 class="entry-title"><a href="https://murtezayesil.me/digital-cleansing-nextcloud.html">Digital Cleansing - NextCloud</a></h1>
<h1 class="entry-title"><a href="https://murtezayesil.me/digital-cleansing-jitsi.html">Digital Cleansing - Jitsi</a></h1>
<footer class="post-info">
<span>Sat 18 July 2020</span>
<span>| in <a href="https://murtezayesil.me/category/tech.html">tech</a></span>
<span>| tags: <a href="https://murtezayesil.me/tag/privacy.html">privacy</a><a href="https://murtezayesil.me/tag/jitsi.html">jitsi</a><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a></span> <span>| Day <strong>5</strong> of #100DaysToOffload</span>
</footer><!-- /.post-info --><p>My family is spread into 3 countries in 3 different continents. If we include my close relatives too, these numbers go even higher. It is important to stay in contact with your family and relatives in Turkish culture and we try to do that. Let it be weekend Zoom meetings (in 40 minute chunks :) or phone calls on WhatsApp (owned by Facebook), we heavily rely on third party services for communication. After launching NextCloud for my family to use, I what I wanted to tackle the <strong>Communication</strong> problem.</p>
<p>We have 3 kinds of communication needs in the family:<br>
1. Text messages<br>
2. Voice Calls<br>
3. (Mostly group) Video Calls</p>
<hr>
<h3>Text Messaging &amp; Voice Calls</h3>
<p>I have been usign Telegram wherever I can for few years. Its UI is very similar to that of WhatsApp which I hope will ease the transition for my relatives. Since it also has voice calling, I don't need to look for another service for that. I love hitting two birds with one stone (only in metaphor) 😄️ <br>
That being said, I won't actually talk much about WhatsApp. Facebook bought WhatsApp back in February 2014. I believe that was a great deal for Facebook and a terrible deal for users.<br>
I know I mentioned Telegram but there is one more great alternative to WhatsApp (or even Telegram). It is called <a href="https://signal.org/" title="Official page">Signal</a> and it is developed by a non-profit founded by Co-founder of WhatsApp, Brian Acton. It is one freaking secure messaging app 😎️</p>
<hr>
<h3>Group Video Calls</h3>
<p>My families' and relatives' current choice of Group Video Calling service is Zoom, just like millions of other people who needed a video calling service for remote work, distance education and calling their loved ones. But Zoom seemingly popped out of nowhere for many people. I wanted to learn more about who Zoom is and how trustable it is. I hope my findings will help you to make educated decisions.</p>
<p>Zoom was <a href="https://en.wikipedia.org/wiki/Zoom_(software)#History" title="History of Zoom on Wikipedia">launched in September 2012</a>, reached <a href="https://www.tmcnet.com/topics/articles/2013/05/23/339279-zoom-video-communications-reaches-1-million-participants.htm" title="Zoom Video Communications Reaches 1 Million Participants - TMCnet">1 Million user base in January 2013</a> and rapidly grow during global quarantine to a point that Zoom got <a href="https://web.archive.org/web/20200422125131/https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak" title="Zoom booms as demand for video-conferencing tech grows - The Guardian [archive]">2.13 Million downloads on March 23rd 2020</a>.</p>
<p>After some research (reading Wikipedia) I found that Zoom had many wounds that hurt many of its users. Given that Zoom reached 1 Million userbase 5 months after launching (from September 2012 to January 2013) and they were charging 9.99$/month, I expect Zoom to invest into infrastructure and app security. I am saying this because they clearly had time to fix issues in their apps before the pandemic arrived. Here are few examples to show how Zoom messed up:<br>
<strong>Windows</strong> : <a href="https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/">Attackers can use Zoom to steal users Windows credentials with no warning - ars technica</a><br>
<strong>MacOS</strong> : <a href="https://threatpost.com/zoom-zero-day-mac-webcam-hijacking/146317/">Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking - threat post</a>. This prompted Apple to use its MRT (Malware Removal Tool) to remotely delete Zoom from Mac computers.<br>
<strong>MacOS</strong> : <a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5">Zoom Zero Day: 4+ Million Webcams &amp; maybe an RCE? Just get them to visit your website! - InfoSec Write-ups</a> allowing Zoom to reinstall itself after being uninstalled and join a video call with camera activated without user's permission.<br>
<strong>MacOS</strong> : <a href="https://nitter.net/c1truz_/status/1244737672930824193">Zoom App installation uses the same method used by malwares to gain root priviledges - Twitter thread on Nitter</a><br>
<strong>iOS</strong> : <a href="https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account">Zoom iOS App Sends Data to Facebook Even if You Dont Have a Facebook Account - Vice</a><br>
<strong>Android</strong> : I didn't find any news about Zoom Android App vulnerabilities. But if they used Facebook tracker in iOS app, I don't see any reason why zoom wouldn't use the same on Android
<strong>Linux</strong> : No vulnerability was found YET. Remember that <a href="https://netmarketshare.com/operating-system-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222019-08%22%2C%22dateEnd%22%3A%222020-06%22%2C%22plotKeys%22%3A%5B%7B%22platform%22%3A%22Linux%22%7D%2C%7B%22platform%22%3A%22Mac%20OS%22%7D%2C%7B%22platform%22%3A%22Chrome%20OS%22%7D%5D%2C%22segments%22%3A%22-1000%22%7D" title="Less than 4%">Linux desktop has a small marketshare</a> and apps for it are less likely to be targeted by hackers.</p>
<blockquote>
<p>"Zoom has just had so many missteps."
- Patrick Wardle, Jamf</p>
</blockquote>
<p>You can read about Zoom's vulnerabilities on MacOS and iOS in detail in <a href="https://objective-see.com/blog/blog_0x56.html" title="The 'S' in Zoom, Stands for Security - Objective-See">this blog post of Objective-See</a>. </p>
<p>These issues were <strong>FIXED</strong> by Zoom. But Zoom took long time to responde some of the cyber security personel as if it didn't care about the user privacy and security. I only mentioned the vulnerabilities in Zoom's apps. Zoom also <a href="https://www.axios.com/zoom-closes-chinese-user-account-tiananmen-square-f218fed1-69af-4bdd-aac4-7eaf67f34084.html" title="Zoom closed account of U.S.-based Chinese activist “to comply with local law” - Axios">contributed to censorship</a> by closing human rights activist Zhou Fengsuo's paid account and closing Social activist Lee Cheuk Yan's account upon China's request.</p>
<p>👉️ Since those vulnerabilities are fixed it should be safe to use Zoom, right?<br>
Unfortunately, NO. Even if apps became less vulnerable, users still are through weak privacy practices and use of third party trackers. Zoom's Privacy Policy is <a href="https://zoom.us/privacy#_Toc44414842">not assuring enough</a>.</p>
<p>👉️ They introduced end-to-end encryption, E2EE. Is it insecure encryption?<br>
AES-256 ECB algorithm used for E2EE is one of the greatest encryption algorithms out there. But it isn't enabled by default and enabling E2EE disables many features such as screensharing, which doesn't incentivise people to use E2EE. Both enterprise customers and teachers would want to use screensharing, thus not using E2EE.</p>
<p>👉️ They say Zoom encrypts every meeting by default. Are they lying?<br>
No, they are not. But they aren't telling the whole story either. When you start a Zoom meeting, your device establishes a connection to Zoom over <a href="https://en.wikipedia.org/wiki/Https#Security">HTTPS</a>. Meaning data is encrypted during transmission between you and Zoom. Data gets decrypted in Zoom and encrypted again before it goes to whoever you are meeting with. This is done because everybody in the meeting has different <a href="https://en.wikipedia.org/wiki/Session_key">session key</a> for encryption. Your meeting is apparent to Zoom, not hidden from it.</p>
<p>👉️ Zoom has faced <a href="https://en.wikipedia.org/wiki/Zero-day_(computing)" title="Learn about zero day attacks on Wikipedia">0-day attacks</a> which weren't fair.<br>
Not a question but I get your point. When a cyber security personal discovers a vulnerability, (s)he informs the vendor about the vulnerability in disguise and asks for bounty. Vendor checks if that is a legit vulnerability or a scam. Then they work together to fix the issue and vendor pays the bounty. Many companies have a <a href="https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html" title="Intel offers upto 100,000$">bug</a> <a href="https://hackerone.com/verizonmedia?type=team" title="Verizon offers upto 15,000$">bounty</a> <a href="https://www.microsoft.com/en-us/msrc/bounty" title="Microsoft offers upto 100,000$">program</a>.<br>
A cyber security personal may choose to release the vulnerability to public for it to be exploited by other people, which turns a vulnerability into zero day attack. This action incentivises vendor to fix that issue immediately since issue became well-known.<br>
Zoom had time since 2013 for testing its softwares properly. Proper testing would uncover those bugs before hackers did. Any company that is careless about security and privacy of its customers' deserves to be pinched to start acting.</p>
<p>What if I am forced to Zoom by my employer/school/family?<br>
Desktop/laptop users:<br>
1. Windows: Use virtual machine and apply one of the below Linux methods<br>
2. MacOS: Use virtual machine and apply one of the below Linux methods<br>
3. Linux: Install Linux Live image on a USB and boot into it everytime you need to Zoom. Install Zoom into that Live environment. Zoom will only be able to access what is in that Live environment. Shutting down a Live environment deletes everything that was installed in that session.<br>
4. Linux: <a href="https://ar.al/2020/06/25/how-to-use-the-zoom-malware-safely-on-linux-if-you-absolutely-have-to/" title="How to use the Zoom malware safely on Linux if you absolutely have to - Aral Balkan">Install Zoom into a firejail</a>, greatly limiting what it can reach.<br>
Mobile users:<br>
1. Android: <a href="https://www.howtogeek.com/333484/how-to-set-up-multiple-user-profiles-on-android/" title="This process maybe different for different brands">Create a restricted user</a> on your phone and install Zoom there. Not in your main user.
2. Android: If you can, use Zoom on Linux as described above.
3. iOS: Don't give it permissions if you don't need them. Don't let it run in background. Uninstall after using.
4. iOS: If you can, use Zoom on Linux as described above.</p>
<p>PS: I don't own a Mac, iPhone or Windows PC. But since Zoom on those platforms seem to be the affected most, I recommend everybody to use Zoom on Linux in a firejail if you absolutely have to.</p>
<p>I also wanted to read articles <a href="https://medium.com/@rowantrollope/beyond-the-noise-7-reasons-its-safe-to-run-zoom-9a2e639b13ec">that</a> <a href="https://blog.prialto.com/3-reasons-why-zoom-provides-the-best-video-conferencing-software">defend</a> <a href="https://www.forbes.com/sites/rebeccabellan/2020/03/24/what-you-need-to-know-about-using-zoom/#3cee9d0d3284">Zoom</a>. But they are mostly talking about Zoom's E2EE feature (that is not default), how people got creative with Virtual Background feature, Zoom's clean UI, ability to fake paying attention and its price. They either say nothing about Zooms privacy policy or even if they say something, it is not assuring in my opinion.</p>
<hr>
<h1>Jitsi</h1>
<p>Jitsi is an open source alternative to Video Calling (Conferencing) services. I will prove that Jitsi is much better than Zoom with only 1 sentence.</p>
<h1 style="text-align: center;">You can host Jitsi on your own server without relying on another entity</h1>
<p>You want more?</p>
<ol>
<li>Jitsi has Clean UI that is familiar to that of Zoom. </li>
<li>Jitsi <strong>doesn't</strong> have looping video feature which helps students or emplyees fake paying attention. </li>
<li>Jitsi is <strong title="Free Open Source Software">FOSS</strong> developed by <a href="https://8x8.com">8x8</a>. </li>
<li>
<p>Hosting Jitsi doesn't require a server with powerful CPU or GPU. Important resource is bandwidth. </p>
</li>
<li>
<p>Jitsi doesn't have virtual background but it instead has background blurring in development.</p>
</li>
</ol>
<p>👉️ Is it truely E2EE?<br>
<strong>This is what I understood from reading <a href="https://github.com/jitsi/jitsi-meet/issues/409#issuecomment-260652107">this threat</a>. Please correct me if I am wrong</strong><br>
Short answer is No.<br>
Long answer is: Just like in Zoom's case, connection between users and Jitsi VideoBridge (server) is encrypted. Server decrypts and encrypts everybody's stream for everybody else. But by having the control of Jitsi VideoBridge (server) by hosting it on your own server, you can assure that no other company/organization is holding your plain data except the recepient you are meeting with.<br>
That being said, Jitsi can establish P2P connection in rooms where there are only 2 people. This is a feature of WebRTC that Jitsi is built upon. It still <strong>isn't</strong> true E2EE.</p>
<p>👉️ Do anyone even use it?<br>
Glad you ask. Many companies banned use of Zoom and switched to alternatives such as Microsoft Teams, Skype, Hangout Meet and Jitsi. You probably won't see Jitsi's UI very often in the wild, but many companies use Jitsi VideoBridge as their backend for video conferences. Out of all the alternatives, only Jitsi allows self-hosting of server (Jitsi VideoBridge) AFAIK.</p>
<h2>How to install Jitsi server?</h2>
<p>I followed <strong>Nerd on the Street</strong>'s <a href="https://invidio.us/watch?v=IQRwtUamHQU">Host a Jitsi Meet Server</a> installation tutorial. It took about 30 minute of my time (I am a noob) to get the server running. It takes another 10 minutes to secure it.</p>
<hr>
<p>When I started this blog post, I expected to list 2 reasons not to use WhatsApp and Zoom then start talking about why Jitsi is the answer to my family's Group Video Calling needs. To fact check what I knew about about them (Zoom in particular) I searched them on <a href="https://en.wikipedia.org/wiki/Zoom_(software)" title="Read more about Zoom on WikiPedia">Wikipedia</a>. I learned much more than I expected. I am sorry for turning this post into "Rant of Zoom". I hope you learned a thing or two too.</p>
<hr>
<h3>Other side of the coin</h3>
<p>If you think I would be better of sticking to WhatsApp or Zoom, tell me more. Even though I read many negative things about Zoom, I will try my best to keep an open mind and hear people seeing other side of the coin. I am a human and can make mistakes. If there is something important I should know to better understand what is going on, please reply to comment toot linked below.</p><!-- Comments -->
<hr>
<h2>Comments</h2>
<p>Toot on <a href="https://fosstodon.org/@murtezayesil/104535970036319662">this thread</a> to comment. This blog is a static site. Comments won't appear here.</p>
</article>
</aside><!-- /#featured -->
<section id="content" class="body">
<h1>Other articles</h1>
<ol id="posts-list" class="hfeed">
<li><article class="hentry">
<header>
<h1><a href="https://murtezayesil.me/digital-cleansing-nextcloud.html" rel="bookmark"
title="Permalink to Digital Cleansing - NextCloud">Digital Cleansing - NextCloud</a></h1>
</header>
<div class="entry-content">
<footer class="post-info">
<span>Thu 16 July 2020</span>
<span>| in <a href="https://murtezayesil.me/category/tech.html">Tech</a></span>
<span>| tags: <a href="https://murtezayesil.me/tag/privacy.html">privacy</a><a href="https://murtezayesil.me/tag/nextcloud.html">nextcloud</a><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a></span> <span>| Day <strong>4</strong> of #100DaysToOffload</span>
</footer><!-- /.post-info --><p>This article reflects my opinions and experiences with few file server services.</p>
<p>TL;DR : I think NextCloud is a far superior product for the price.</p>
<p>Digital cleansing is about reowning personal data and regaining control over how it is processed. When I started digital cleansing, I wanted to start from where the most of my data is stored. There are 2 such services, Google Drive and Photos. I started by looking for <a href="https://alternativeto.net/software/google-drive/">alternatives</a>. OwnCloud and NextCloud seemed like <strong>affordable</strong> and <strong title="Free Open Source Software">FOSS</strong> alternatives that allow <strong title="Can be hosted on personal (or home) computer/server without relying on another service provider">self-hosting</strong>.</p>
<hr>
<h2>Owncloud</h2>
<p>I started my journey by renting a VM on Digital Ocean, droplet. I installed <a href="https://en.wikipedia.org/wiki/LAMP_(software_bundle)" title="Minimum set of softwares needed for a working web service">LAMP stack</a> and <a href="https://en.wikipedia.org/wiki/OwnCloud" title="File server service">OwnCloud</a>. As a new comer to OwnCloud, I started to click every button in every menu to discover and learn more about OwnCloud. <a href="https://marketplace.owncloud.com/">Marketplace</a>, a feature manager to add/remove more features, has many stuff that can appeal to enterprises and teams working from home. Next, I browsed the <a href="https://search.f-droid.org/?q=owncloud" title="Apps for OwnCloud on F-droid">available Android apps for OwnCloud</a>. To my surprise, there aren't many. I expected niche apps on Android for using niche features on marketplace. Instead, I would run into more <a href="https://search.f-droid.org/?q=nextcloud" title="Apps for NextCloud on F-droid">apps branded for NextCloud</a>. Meanwhile I updated the droplet, because updates are important, but ran into "kernel updates rendering server unbootable" kind of issues, I switched to Linode and NextCloud after strugling on Digital Ocean for a week.</p>
<p>Just like Owncloud's marketplace, NextCloud has its own "app store", I'd like to them "feature manager" instead because both marketplace and app store are used for en/disabling features on the platform. But NextCloud has niche apps for Android and I believe this provides more convenience to mobile users like myself.</p>
<hr>
<h2>NextCloud</h2>
<p>Since NextCloud is a file server in its core, it was the drop-in Google Drive &amp; Photos replacement I needed. It also has built-in <a href="https://en.wikipedia.org/wiki/WebDAV" title="Protocol for using remote file system over HTTP">WebDAV</a>, <a href="https://en.wikipedia.org/wiki/CardDAV" title="vCard (contact info) extension for WebDAV">CardDAV</a> and <a href="https://en.wikipedia.org/wiki/CalDAV" title="Calendar extension for WebDAV">CalDAV</a> support, which means I can use NextCloud as Google Contacts &amp; Calendar replacement as well and access files in native file manager as if it was a USB drive 🎉️</p>
<p>After enabling more services from feature manager (yes, I am sticking with this name) it also became my notes, tasks, bookmarks manager as well. All powered by a VM that costs 5$/month to run, +2$ for backup.</p>
<blockquote>
<p>One who loves roses should endure thorns - Turkish Proverb</p>
</blockquote>
<p>NextCloud is great. But just like every other artificial thing in this world, it isn't perfect. The biggest problem I face with it is the <strong>performance</strong> of web interface. It is written in PHP and being not compiled program is not doing any favors. Image preview loading can be called sluggish by many. Since I use mobile app most of the time which caches the previews, user experience isn't bad in my opinion.</p>
<hr>
<p><a href="https://kevq.uk" title="his blog">Kev Quirk</a> wrote a blog about his opinions and experiences with <strong title="My current choice of file server solution">NextCloud</strong> and <strong title="His choice of home server solution">Synology</strong>. This is my answer to <a href="https://kevq.uk/synology-vs-nextcloud-which-is-better-for-a-home-server/" title="Synology vs Nextcloud Which Is Better For A Home Server?">his blog</a>.</p>
<p>Synology's home server sound like a great product. I am happy for you and your family that your data is safe and accesible without giving up your privacy. After reading your blog, I wanted to try Synology as well. Upon seeing the price for <a href="https://www.newegg.com/synology-ds420/p/N82E16822108744" title="4 HDD bay NAS for home/small business use (disks not included)">Synology 420+</a> is 500$ and another 400$ for 4x <a href="https://www.newegg.com/seagate-ironwolf-st4000vn008-4tb/p/N82E16822179005" title="SeaGate NAS HDD">4TB HDD</a> for RAID 6, I believe NextCloud is the best choice I have. I am 1 student who has no movies, musics, 4K family photos or video project for YouTube channel to utilize TBs of storage not do I have budget for it. Under these requirements and constraints, I want to offer an alternative to Google to my family. Since I can't just ask for ~900$ for Synology, NextCloud on a VM is the best option I have. I still have option of increasing VM disk size or mounting external block storage as our storage needs grow.</p>
<p>It is nice that we have different perspectives on same topic. I wrote this answer because I wanted you to see from the eyes of a student living on pocket money and still afford for privacy of his and his family. May your Synology system last long and serve your family well 🙂️</p>
<hr>
<p>If you think Google services aren't that bad and I would be better off keep using Google services, <a href="https://tosdr.org/#google">here is my reasoning #1</a> and <a href="https://www.reuters.com/article/us-alphabet-google-privacy-lawsuit/google-faces-lawsuit-over-tracking-in-apps-even-when-users-opted-out-idUSKCN24F2N4" title="Google faces lawsuit over tracking in apps even when users opted out - Reuters">#2</a>. But if you still think that I should use Google services, tell me your reasoning and help me see your side of the coin. I would like to stay open minded.</p><!-- Comments -->
<hr>
<h2>Comments</h2>
<p>Toot on <a href="https://fosstodon.org/@murtezayesil/104521563799892039">this thread</a> to comment. This blog is a static site. Comments won't appear here.</p>
</article>
</aside><!-- /#featured -->
<section id="content" class="body">
<h1>Other articles</h1>
<ol id="posts-list" class="hfeed">
</footer><!-- /.post-info --> </div><!-- /.entry-content -->
</article></li>
<li><article class="hentry">
<header>

2
output/digital-cleansing-for-better-privacy.html
View File

@ -40,7 +40,7 @@
</nav>
<div id="submenu">
<ul>
<li class="active"><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li class="active"><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->

2
output/digital-cleansing-identifying-services-we-use.html
View File

@ -40,7 +40,7 @@
</nav>
<div id="submenu">
<ul>
<li class="active"><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li class="active"><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->

182
output/digital-cleansing-jitsi.html Normal file
View File

@ -0,0 +1,182 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Digital Cleansing - Jitsi</title>
<link rel="stylesheet" href="https://murtezayesil.me/theme/css/main.css" />
<link href="https://murtezayesil.me/feeds/atom.xml" type="application/atom+xml" rel="alternate" title="Ali Murteza Yesil Atom Feed" />
<link href="https://murtezayesil.me/feeds/rss.xml" type="application/rss+xml" rel="alternate" title="Ali Murteza Yesil RSS Feed" />
<!-- This border added via BLACK_LIVES_MATTER toggle in site settings -->
<style>
body {
border-width: 5em ;
border-color: #000000 ;
border-style: none solid solid solid ; /* top border : none, right bottom left : solid */
}
</style>
<!--[if IE]>
<script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
</head>
<body id="index" class="home">
<!-- This banner added via BLACK_LIVES_MATTER toggle in site settings -->
<div style="background-color: black; padding: 1em; margin-bottom: .8em">
<h1 style="text-align: center; margin-bottom: 0em"><a href="https://blacklivesmatter.com/" style="color: #fce21b; font-size: 2em">Black Lives Matter</a></h1>
</div>
<header id="banner" class="body">
<h1><a href="https://murtezayesil.me/">Ali Murteza Yesil <strong>Blog</strong></a></h1>
<nav><ul>
<li><a href="https://murtezayesil.me/pages/about.html">About</a></li>
<li><a href="https://murtezayesil.me/pages/contact.html">Contact</a></li>
</ul>
<form id="search" action"#" onsubmit="javascript:window.open('https://duckduckgo.com/?q='+document.getElementById('keywords').value+'+site:https://murtezayesil.me');">
<input id="keywords" type="text" />
</form>
</nav>
<div id="submenu">
<ul>
<li class="active"><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->
<section id="content" class="body">
<article>
<header>
<h1 class="entry-title">
<a href="https://murtezayesil.me/digital-cleansing-jitsi.html" rel="bookmark"
title="Permalink to Digital Cleansing - Jitsi">Digital Cleansing - Jitsi</a></h1>
</header>
<div class="entry-content">
<footer class="post-info">
<span>Sat 18 July 2020</span>
<span>| in <a href="https://murtezayesil.me/category/tech.html">tech</a></span>
<span>| tags: <a href="https://murtezayesil.me/tag/privacy.html">privacy</a><a href="https://murtezayesil.me/tag/jitsi.html">jitsi</a><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a></span> <span>| Day <strong>5</strong> of #100DaysToOffload</span>
</footer><!-- /.post-info --> <p>My family is spread into 3 countries in 3 different continents. If we include my close relatives too, these numbers go even higher. It is important to stay in contact with your family and relatives in Turkish culture and we try to do that. Let it be weekend Zoom meetings (in 40 minute chunks :) or phone calls on WhatsApp (owned by Facebook), we heavily rely on third party services for communication. After launching NextCloud for my family to use, I what I wanted to tackle the <strong>Communication</strong> problem.</p>
<p>We have 3 kinds of communication needs in the family:<br>
1. Text messages<br>
2. Voice Calls<br>
3. (Mostly group) Video Calls</p>
<hr>
<h3>Text Messaging &amp; Voice Calls</h3>
<p>I have been usign Telegram wherever I can for few years. Its UI is very similar to that of WhatsApp which I hope will ease the transition for my relatives. Since it also has voice calling, I don't need to look for another service for that. I love hitting two birds with one stone (only in metaphor) 😄️ <br>
That being said, I won't actually talk much about WhatsApp. Facebook bought WhatsApp back in February 2014. I believe that was a great deal for Facebook and a terrible deal for users.<br>
I know I mentioned Telegram but there is one more great alternative to WhatsApp (or even Telegram). It is called <a href="https://signal.org/" title="Official page">Signal</a> and it is developed by a non-profit founded by Co-founder of WhatsApp, Brian Acton. It is one freaking secure messaging app 😎️</p>
<hr>
<h3>Group Video Calls</h3>
<p>My families' and relatives' current choice of Group Video Calling service is Zoom, just like millions of other people who needed a video calling service for remote work, distance education and calling their loved ones. But Zoom seemingly popped out of nowhere for many people. I wanted to learn more about who Zoom is and how trustable it is. I hope my findings will help you to make educated decisions.</p>
<p>Zoom was <a href="https://en.wikipedia.org/wiki/Zoom_(software)#History" title="History of Zoom on Wikipedia">launched in September 2012</a>, reached <a href="https://www.tmcnet.com/topics/articles/2013/05/23/339279-zoom-video-communications-reaches-1-million-participants.htm" title="Zoom Video Communications Reaches 1 Million Participants - TMCnet">1 Million user base in January 2013</a> and rapidly grow during global quarantine to a point that Zoom got <a href="https://web.archive.org/web/20200422125131/https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak" title="Zoom booms as demand for video-conferencing tech grows - The Guardian [archive]">2.13 Million downloads on March 23rd 2020</a>.</p>
<p>After some research (reading Wikipedia) I found that Zoom had many wounds that hurt many of its users. Given that Zoom reached 1 Million userbase 5 months after launching (from September 2012 to January 2013) and they were charging 9.99$/month, I expect Zoom to invest into infrastructure and app security. I am saying this because they clearly had time to fix issues in their apps before the pandemic arrived. Here are few examples to show how Zoom messed up:<br>
<strong>Windows</strong> : <a href="https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/">Attackers can use Zoom to steal users Windows credentials with no warning - ars technica</a><br>
<strong>MacOS</strong> : <a href="https://threatpost.com/zoom-zero-day-mac-webcam-hijacking/146317/">Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking - threat post</a>. This prompted Apple to use its MRT (Malware Removal Tool) to remotely delete Zoom from Mac computers.<br>
<strong>MacOS</strong> : <a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5">Zoom Zero Day: 4+ Million Webcams &amp; maybe an RCE? Just get them to visit your website! - InfoSec Write-ups</a> allowing Zoom to reinstall itself after being uninstalled and join a video call with camera activated without user's permission.<br>
<strong>MacOS</strong> : <a href="https://nitter.net/c1truz_/status/1244737672930824193">Zoom App installation uses the same method used by malwares to gain root priviledges - Twitter thread on Nitter</a><br>
<strong>iOS</strong> : <a href="https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account">Zoom iOS App Sends Data to Facebook Even if You Dont Have a Facebook Account - Vice</a><br>
<strong>Android</strong> : I didn't find any news about Zoom Android App vulnerabilities. But if they used Facebook tracker in iOS app, I don't see any reason why zoom wouldn't use the same on Android
<strong>Linux</strong> : No vulnerability was found YET. Remember that <a href="https://netmarketshare.com/operating-system-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222019-08%22%2C%22dateEnd%22%3A%222020-06%22%2C%22plotKeys%22%3A%5B%7B%22platform%22%3A%22Linux%22%7D%2C%7B%22platform%22%3A%22Mac%20OS%22%7D%2C%7B%22platform%22%3A%22Chrome%20OS%22%7D%5D%2C%22segments%22%3A%22-1000%22%7D" title="Less than 4%">Linux desktop has a small marketshare</a> and apps for it are less likely to be targeted by hackers.</p>
<blockquote>
<p>"Zoom has just had so many missteps."
- Patrick Wardle, Jamf</p>
</blockquote>
<p>You can read about Zoom's vulnerabilities on MacOS and iOS in detail in <a href="https://objective-see.com/blog/blog_0x56.html" title="The 'S' in Zoom, Stands for Security - Objective-See">this blog post of Objective-See</a>. </p>
<p>These issues were <strong>FIXED</strong> by Zoom. But Zoom took long time to responde some of the cyber security personel as if it didn't care about the user privacy and security. I only mentioned the vulnerabilities in Zoom's apps. Zoom also <a href="https://www.axios.com/zoom-closes-chinese-user-account-tiananmen-square-f218fed1-69af-4bdd-aac4-7eaf67f34084.html" title="Zoom closed account of U.S.-based Chinese activist “to comply with local law” - Axios">contributed to censorship</a> by closing human rights activist Zhou Fengsuo's paid account and closing Social activist Lee Cheuk Yan's account upon China's request.</p>
<p>👉️ Since those vulnerabilities are fixed it should be safe to use Zoom, right?<br>
Unfortunately, NO. Even if apps became less vulnerable, users still are through weak privacy practices and use of third party trackers. Zoom's Privacy Policy is <a href="https://zoom.us/privacy#_Toc44414842">not assuring enough</a>.</p>
<p>👉️ They introduced end-to-end encryption, E2EE. Is it insecure encryption?<br>
AES-256 ECB algorithm used for E2EE is one of the greatest encryption algorithms out there. But it isn't enabled by default and enabling E2EE disables many features such as screensharing, which doesn't incentivise people to use E2EE. Both enterprise customers and teachers would want to use screensharing, thus not using E2EE.</p>
<p>👉️ They say Zoom encrypts every meeting by default. Are they lying?<br>
No, they are not. But they aren't telling the whole story either. When you start a Zoom meeting, your device establishes a connection to Zoom over <a href="https://en.wikipedia.org/wiki/Https#Security">HTTPS</a>. Meaning data is encrypted during transmission between you and Zoom. Data gets decrypted in Zoom and encrypted again before it goes to whoever you are meeting with. This is done because everybody in the meeting has different <a href="https://en.wikipedia.org/wiki/Session_key">session key</a> for encryption. Your meeting is apparent to Zoom, not hidden from it.</p>
<p>👉️ Zoom has faced <a href="https://en.wikipedia.org/wiki/Zero-day_(computing)" title="Learn about zero day attacks on Wikipedia">0-day attacks</a> which weren't fair.<br>
Not a question but I get your point. When a cyber security personal discovers a vulnerability, (s)he informs the vendor about the vulnerability in disguise and asks for bounty. Vendor checks if that is a legit vulnerability or a scam. Then they work together to fix the issue and vendor pays the bounty. Many companies have a <a href="https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html" title="Intel offers upto 100,000$">bug</a> <a href="https://hackerone.com/verizonmedia?type=team" title="Verizon offers upto 15,000$">bounty</a> <a href="https://www.microsoft.com/en-us/msrc/bounty" title="Microsoft offers upto 100,000$">program</a>.<br>
A cyber security personal may choose to release the vulnerability to public for it to be exploited by other people, which turns a vulnerability into zero day attack. This action incentivises vendor to fix that issue immediately since issue became well-known.<br>
Zoom had time since 2013 for testing its softwares properly. Proper testing would uncover those bugs before hackers did. Any company that is careless about security and privacy of its customers' deserves to be pinched to start acting.</p>
<p>What if I am forced to Zoom by my employer/school/family?<br>
Desktop/laptop users:<br>
1. Windows: Use virtual machine and apply one of the below Linux methods<br>
2. MacOS: Use virtual machine and apply one of the below Linux methods<br>
3. Linux: Install Linux Live image on a USB and boot into it everytime you need to Zoom. Install Zoom into that Live environment. Zoom will only be able to access what is in that Live environment. Shutting down a Live environment deletes everything that was installed in that session.<br>
4. Linux: <a href="https://ar.al/2020/06/25/how-to-use-the-zoom-malware-safely-on-linux-if-you-absolutely-have-to/" title="How to use the Zoom malware safely on Linux if you absolutely have to - Aral Balkan">Install Zoom into a firejail</a>, greatly limiting what it can reach.<br>
Mobile users:<br>
1. Android: <a href="https://www.howtogeek.com/333484/how-to-set-up-multiple-user-profiles-on-android/" title="This process maybe different for different brands">Create a restricted user</a> on your phone and install Zoom there. Not in your main user.
2. Android: If you can, use Zoom on Linux as described above.
3. iOS: Don't give it permissions if you don't need them. Don't let it run in background. Uninstall after using.
4. iOS: If you can, use Zoom on Linux as described above.</p>
<p>PS: I don't own a Mac, iPhone or Windows PC. But since Zoom on those platforms seem to be the affected most, I recommend everybody to use Zoom on Linux in a firejail if you absolutely have to.</p>
<p>I also wanted to read articles <a href="https://medium.com/@rowantrollope/beyond-the-noise-7-reasons-its-safe-to-run-zoom-9a2e639b13ec">that</a> <a href="https://blog.prialto.com/3-reasons-why-zoom-provides-the-best-video-conferencing-software">defend</a> <a href="https://www.forbes.com/sites/rebeccabellan/2020/03/24/what-you-need-to-know-about-using-zoom/#3cee9d0d3284">Zoom</a>. But they are mostly talking about Zoom's E2EE feature (that is not default), how people got creative with Virtual Background feature, Zoom's clean UI, ability to fake paying attention and its price. They either say nothing about Zooms privacy policy or even if they say something, it is not assuring in my opinion.</p>
<hr>
<h1>Jitsi</h1>
<p>Jitsi is an open source alternative to Video Calling (Conferencing) services. I will prove that Jitsi is much better than Zoom with only 1 sentence.</p>
<h1 style="text-align: center;">You can host Jitsi on your own server without relying on another entity</h1>
<p>You want more?</p>
<ol>
<li>Jitsi has Clean UI that is familiar to that of Zoom. </li>
<li>Jitsi <strong>doesn't</strong> have looping video feature which helps students or emplyees fake paying attention. </li>
<li>Jitsi is <strong title="Free Open Source Software">FOSS</strong> developed by <a href="https://8x8.com">8x8</a>. </li>
<li>
<p>Hosting Jitsi doesn't require a server with powerful CPU or GPU. Important resource is bandwidth. </p>
</li>
<li>
<p>Jitsi doesn't have virtual background but it instead has background blurring in development.</p>
</li>
</ol>
<p>👉️ Is it truely E2EE?<br>
<strong>This is what I understood from reading <a href="https://github.com/jitsi/jitsi-meet/issues/409#issuecomment-260652107">this threat</a>. Please correct me if I am wrong</strong><br>
Short answer is No.<br>
Long answer is: Just like in Zoom's case, connection between users and Jitsi VideoBridge (server) is encrypted. Server decrypts and encrypts everybody's stream for everybody else. But by having the control of Jitsi VideoBridge (server) by hosting it on your own server, you can assure that no other company/organization is holding your plain data except the recepient you are meeting with.<br>
That being said, Jitsi can establish P2P connection in rooms where there are only 2 people. This is a feature of WebRTC that Jitsi is built upon. It still <strong>isn't</strong> true E2EE.</p>
<p>👉️ Do anyone even use it?<br>
Glad you ask. Many companies banned use of Zoom and switched to alternatives such as Microsoft Teams, Skype, Hangout Meet and Jitsi. You probably won't see Jitsi's UI very often in the wild, but many companies use Jitsi VideoBridge as their backend for video conferences. Out of all the alternatives, only Jitsi allows self-hosting of server (Jitsi VideoBridge) AFAIK.</p>
<h2>How to install Jitsi server?</h2>
<p>I followed <strong>Nerd on the Street</strong>'s <a href="https://invidio.us/watch?v=IQRwtUamHQU">Host a Jitsi Meet Server</a> installation tutorial. It took about 30 minute of my time (I am a noob) to get the server running. It takes another 10 minutes to secure it.</p>
<hr>
<p>When I started this blog post, I expected to list 2 reasons not to use WhatsApp and Zoom then start talking about why Jitsi is the answer to my family's Group Video Calling needs. To fact check what I knew about about them (Zoom in particular) I searched them on <a href="https://en.wikipedia.org/wiki/Zoom_(software)" title="Read more about Zoom on WikiPedia">Wikipedia</a>. I learned much more than I expected. I am sorry for turning this post into "Rant of Zoom". I hope you learned a thing or two too.</p>
<hr>
<h3>Other side of the coin</h3>
<p>If you think I would be better of sticking to WhatsApp or Zoom, tell me more. Even though I read many negative things about Zoom, I will try my best to keep an open mind and hear people seeing other side of the coin. I am a human and can make mistakes. If there is something important I should know to better understand what is going on, please reply to comment toot linked below.</p>
</div><!-- /.entry-content -->
<!-- #100DaysToOffload message -->
<p>Day <strong>5</strong> of <a href="https://100daystooffload.com/" title="click to read about the challenge">#100DaysToOffload</a></p>
<!-- Comments -->
<hr>
<h2>Comments</h2>
<p>Toot on <a href="https://fosstodon.org/@murtezayesil/104535970036319662">this thread</a> to comment. This blog is a static site. Comments won't appear here.</p>
</article>
</section>
<section id="extras" class="body">
<div class="blogroll">
<h2>blogroll</h2>
<ul>
<li><a href="https://kevq.uk">Kev Quirk</a></li>
<li><a href="https://mikestone.me">Mike Stone</a></li>
<li><a href="https://yarmo.eu/">Yarmo Mackenbach</a></li>
</ul>
</div><!-- /.blogroll -->
<div class="social">
<h2>social</h2>
<ul>
<li><a href="https://murtezayesil.me/feeds/atom.xml" type="application/atom+xml" rel="alternate">atom feed</a></li>
<li><a href="https://murtezayesil.me/feeds/rss.xml" type="application/rss+xml" rel="alternate">rss feed</a></li>
<li><a href="https://fosstodon.org/@murtezayesil">Fostodon</a></li>
</ul>
</div><!-- /.social -->
</section><!-- /#extras -->
<footer id="contentinfo" class="body">
<p>Powered by <a href="http://getpelican.com/">Pelican</a>. Theme <a href="https://github.com/blueicefield/pelican-blueidea/">blueidea</a>, inspired by the default theme.</p>
</footer><!-- /#contentinfo -->
</body>
</html>

2
output/digital-cleansing-nextcloud.html
View File

@ -40,7 +40,7 @@
</nav>
<div id="submenu">
<ul>
<li class="active"><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li class="active"><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->

83
output/feeds/atom.xml
View File

@ -1,5 +1,86 @@
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Ali Murteza Yesil</title><link href="https://murtezayesil.me/" rel="alternate"></link><link href="https://murtezayesil.me/feeds/atom.xml" rel="self"></link><id>https://murtezayesil.me/</id><updated>2020-07-16T10:00:00+06:00</updated><subtitle>Blog</subtitle><entry><title>Digital Cleansing - NextCloud</title><link href="https://murtezayesil.me/digital-cleansing-nextcloud.html" rel="alternate"></link><published>2020-07-16T10:00:00+06:00</published><updated>2020-07-16T10:00:00+06:00</updated><author><name>Ali Murteza Yesil</name></author><id>tag:murtezayesil.me,2020-07-16:/digital-cleansing-nextcloud.html</id><summary type="html">&lt;p&gt;NextCloud has 4 things going for me. It is FOSS, it gives me control, it is convenient and it works.&lt;/p&gt;</summary><content type="html">&lt;p&gt;This article reflects my opinions and experiences with few file server services.&lt;/p&gt;
<feed xmlns="http://www.w3.org/2005/Atom"><title>Ali Murteza Yesil</title><link href="https://murtezayesil.me/" rel="alternate"></link><link href="https://murtezayesil.me/feeds/atom.xml" rel="self"></link><id>https://murtezayesil.me/</id><updated>2020-07-18T00:00:00+06:00</updated><subtitle>Blog</subtitle><entry><title>Digital Cleansing - Jitsi</title><link href="https://murtezayesil.me/digital-cleansing-jitsi.html" rel="alternate"></link><published>2020-07-18T00:00:00+06:00</published><updated>2020-07-18T00:00:00+06:00</updated><author><name>Ali Murteza Yesil</name></author><id>tag:murtezayesil.me,2020-07-18:/digital-cleansing-jitsi.html</id><summary type="html">&lt;p&gt;My family and relatives live different countries and make good use of video calling services regardless of who is offering the service&lt;/p&gt;</summary><content type="html">&lt;p&gt;My family is spread into 3 countries in 3 different continents. If we include my close relatives too, these numbers go even higher. It is important to stay in contact with your family and relatives in Turkish culture and we try to do that. Let it be weekend Zoom meetings (in 40 minute chunks :) or phone calls on WhatsApp (owned by Facebook), we heavily rely on third party services for communication. After launching NextCloud for my family to use, I what I wanted to tackle the &lt;strong&gt;Communication&lt;/strong&gt; problem.&lt;/p&gt;
&lt;p&gt;We have 3 kinds of communication needs in the family:&lt;br&gt;
1. Text messages&lt;br&gt;
2. Voice Calls&lt;br&gt;
3. (Mostly group) Video Calls&lt;/p&gt;
&lt;hr&gt;
&lt;h3&gt;Text Messaging &amp;amp; Voice Calls&lt;/h3&gt;
&lt;p&gt;I have been usign Telegram wherever I can for few years. Its UI is very similar to that of WhatsApp which I hope will ease the transition for my relatives. Since it also has voice calling, I don't need to look for another service for that. I love hitting two birds with one stone (only in metaphor) 😄️ &lt;br&gt;
That being said, I won't actually talk much about WhatsApp. Facebook bought WhatsApp back in February 2014. I believe that was a great deal for Facebook and a terrible deal for users.&lt;br&gt;
I know I mentioned Telegram but there is one more great alternative to WhatsApp (or even Telegram). It is called &lt;a href="https://signal.org/" title="Official page"&gt;Signal&lt;/a&gt; and it is developed by a non-profit founded by Co-founder of WhatsApp, Brian Acton. It is one freaking secure messaging app 😎️&lt;/p&gt;
&lt;hr&gt;
&lt;h3&gt;Group Video Calls&lt;/h3&gt;
&lt;p&gt;My families' and relatives' current choice of Group Video Calling service is Zoom, just like millions of other people who needed a video calling service for remote work, distance education and calling their loved ones. But Zoom seemingly popped out of nowhere for many people. I wanted to learn more about who Zoom is and how trustable it is. I hope my findings will help you to make educated decisions.&lt;/p&gt;
&lt;p&gt;Zoom was &lt;a href="https://en.wikipedia.org/wiki/Zoom_(software)#History" title="History of Zoom on Wikipedia"&gt;launched in September 2012&lt;/a&gt;, reached &lt;a href="https://www.tmcnet.com/topics/articles/2013/05/23/339279-zoom-video-communications-reaches-1-million-participants.htm" title="Zoom Video Communications Reaches 1 Million Participants - TMCnet"&gt;1 Million user base in January 2013&lt;/a&gt; and rapidly grow during global quarantine to a point that Zoom got &lt;a href="https://web.archive.org/web/20200422125131/https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak" title="Zoom booms as demand for video-conferencing tech grows - The Guardian [archive]"&gt;2.13 Million downloads on March 23rd 2020&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;After some research (reading Wikipedia) I found that Zoom had many wounds that hurt many of its users. Given that Zoom reached 1 Million userbase 5 months after launching (from September 2012 to January 2013) and they were charging 9.99$/month, I expect Zoom to invest into infrastructure and app security. I am saying this because they clearly had time to fix issues in their apps before the pandemic arrived. Here are few examples to show how Zoom messed up:&lt;br&gt;
&lt;strong&gt;Windows&lt;/strong&gt; : &lt;a href="https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/"&gt;Attackers can use Zoom to steal users Windows credentials with no warning - ars technica&lt;/a&gt;&lt;br&gt;
&lt;strong&gt;MacOS&lt;/strong&gt; : &lt;a href="https://threatpost.com/zoom-zero-day-mac-webcam-hijacking/146317/"&gt;Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking - threat post&lt;/a&gt;. This prompted Apple to use its MRT (Malware Removal Tool) to remotely delete Zoom from Mac computers.&lt;br&gt;
&lt;strong&gt;MacOS&lt;/strong&gt; : &lt;a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5"&gt;Zoom Zero Day: 4+ Million Webcams &amp;amp; maybe an RCE? Just get them to visit your website! - InfoSec Write-ups&lt;/a&gt; allowing Zoom to reinstall itself after being uninstalled and join a video call with camera activated without user's permission.&lt;br&gt;
&lt;strong&gt;MacOS&lt;/strong&gt; : &lt;a href="https://nitter.net/c1truz_/status/1244737672930824193"&gt;Zoom App installation uses the same method used by malwares to gain root priviledges - Twitter thread on Nitter&lt;/a&gt;&lt;br&gt;
&lt;strong&gt;iOS&lt;/strong&gt; : &lt;a href="https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account"&gt;Zoom iOS App Sends Data to Facebook Even if You Dont Have a Facebook Account - Vice&lt;/a&gt;&lt;br&gt;
&lt;strong&gt;Android&lt;/strong&gt; : I didn't find any news about Zoom Android App vulnerabilities. But if they used Facebook tracker in iOS app, I don't see any reason why zoom wouldn't use the same on Android
&lt;strong&gt;Linux&lt;/strong&gt; : No vulnerability was found YET. Remember that &lt;a href="https://netmarketshare.com/operating-system-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222019-08%22%2C%22dateEnd%22%3A%222020-06%22%2C%22plotKeys%22%3A%5B%7B%22platform%22%3A%22Linux%22%7D%2C%7B%22platform%22%3A%22Mac%20OS%22%7D%2C%7B%22platform%22%3A%22Chrome%20OS%22%7D%5D%2C%22segments%22%3A%22-1000%22%7D" title="Less than 4%"&gt;Linux desktop has a small marketshare&lt;/a&gt; and apps for it are less likely to be targeted by hackers.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;"Zoom has just had so many missteps."
- Patrick Wardle, Jamf&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;You can read about Zoom's vulnerabilities on MacOS and iOS in detail in &lt;a href="https://objective-see.com/blog/blog_0x56.html" title="The 'S' in Zoom, Stands for Security - Objective-See"&gt;this blog post of Objective-See&lt;/a&gt;. &lt;/p&gt;
&lt;p&gt;These issues were &lt;strong&gt;FIXED&lt;/strong&gt; by Zoom. But Zoom took long time to responde some of the cyber security personel as if it didn't care about the user privacy and security. I only mentioned the vulnerabilities in Zoom's apps. Zoom also &lt;a href="https://www.axios.com/zoom-closes-chinese-user-account-tiananmen-square-f218fed1-69af-4bdd-aac4-7eaf67f34084.html" title="Zoom closed account of U.S.-based Chinese activist “to comply with local law” - Axios"&gt;contributed to censorship&lt;/a&gt; by closing human rights activist Zhou Fengsuo's paid account and closing Social activist Lee Cheuk Yan's account upon China's request.&lt;/p&gt;
&lt;p&gt;👉️ Since those vulnerabilities are fixed it should be safe to use Zoom, right?&lt;br&gt;
Unfortunately, NO. Even if apps became less vulnerable, users still are through weak privacy practices and use of third party trackers. Zoom's Privacy Policy is &lt;a href="https://zoom.us/privacy#_Toc44414842"&gt;not assuring enough&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;👉️ They introduced end-to-end encryption, E2EE. Is it insecure encryption?&lt;br&gt;
AES-256 ECB algorithm used for E2EE is one of the greatest encryption algorithms out there. But it isn't enabled by default and enabling E2EE disables many features such as screensharing, which doesn't incentivise people to use E2EE. Both enterprise customers and teachers would want to use screensharing, thus not using E2EE.&lt;/p&gt;
&lt;p&gt;👉️ They say Zoom encrypts every meeting by default. Are they lying?&lt;br&gt;
No, they are not. But they aren't telling the whole story either. When you start a Zoom meeting, your device establishes a connection to Zoom over &lt;a href="https://en.wikipedia.org/wiki/Https#Security"&gt;HTTPS&lt;/a&gt;. Meaning data is encrypted during transmission between you and Zoom. Data gets decrypted in Zoom and encrypted again before it goes to whoever you are meeting with. This is done because everybody in the meeting has different &lt;a href="https://en.wikipedia.org/wiki/Session_key"&gt;session key&lt;/a&gt; for encryption. Your meeting is apparent to Zoom, not hidden from it.&lt;/p&gt;
&lt;p&gt;👉️ Zoom has faced &lt;a href="https://en.wikipedia.org/wiki/Zero-day_(computing)" title="Learn about zero day attacks on Wikipedia"&gt;0-day attacks&lt;/a&gt; which weren't fair.&lt;br&gt;
Not a question but I get your point. When a cyber security personal discovers a vulnerability, (s)he informs the vendor about the vulnerability in disguise and asks for bounty. Vendor checks if that is a legit vulnerability or a scam. Then they work together to fix the issue and vendor pays the bounty. Many companies have a &lt;a href="https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html" title="Intel offers upto 100,000$"&gt;bug&lt;/a&gt; &lt;a href="https://hackerone.com/verizonmedia?type=team" title="Verizon offers upto 15,000$"&gt;bounty&lt;/a&gt; &lt;a href="https://www.microsoft.com/en-us/msrc/bounty" title="Microsoft offers upto 100,000$"&gt;program&lt;/a&gt;.&lt;br&gt;
A cyber security personal may choose to release the vulnerability to public for it to be exploited by other people, which turns a vulnerability into zero day attack. This action incentivises vendor to fix that issue immediately since issue became well-known.&lt;br&gt;
Zoom had time since 2013 for testing its softwares properly. Proper testing would uncover those bugs before hackers did. Any company that is careless about security and privacy of its customers' deserves to be pinched to start acting.&lt;/p&gt;
&lt;p&gt;What if I am forced to Zoom by my employer/school/family?&lt;br&gt;
Desktop/laptop users:&lt;br&gt;
1. Windows: Use virtual machine and apply one of the below Linux methods&lt;br&gt;
2. MacOS: Use virtual machine and apply one of the below Linux methods&lt;br&gt;
3. Linux: Install Linux Live image on a USB and boot into it everytime you need to Zoom. Install Zoom into that Live environment. Zoom will only be able to access what is in that Live environment. Shutting down a Live environment deletes everything that was installed in that session.&lt;br&gt;
4. Linux: &lt;a href="https://ar.al/2020/06/25/how-to-use-the-zoom-malware-safely-on-linux-if-you-absolutely-have-to/" title="How to use the Zoom malware safely on Linux if you absolutely have to - Aral Balkan"&gt;Install Zoom into a firejail&lt;/a&gt;, greatly limiting what it can reach.&lt;br&gt;
Mobile users:&lt;br&gt;
1. Android: &lt;a href="https://www.howtogeek.com/333484/how-to-set-up-multiple-user-profiles-on-android/" title="This process maybe different for different brands"&gt;Create a restricted user&lt;/a&gt; on your phone and install Zoom there. Not in your main user.
2. Android: If you can, use Zoom on Linux as described above.
3. iOS: Don't give it permissions if you don't need them. Don't let it run in background. Uninstall after using.
4. iOS: If you can, use Zoom on Linux as described above.&lt;/p&gt;
&lt;p&gt;PS: I don't own a Mac, iPhone or Windows PC. But since Zoom on those platforms seem to be the affected most, I recommend everybody to use Zoom on Linux in a firejail if you absolutely have to.&lt;/p&gt;
&lt;p&gt;I also wanted to read articles &lt;a href="https://medium.com/@rowantrollope/beyond-the-noise-7-reasons-its-safe-to-run-zoom-9a2e639b13ec"&gt;that&lt;/a&gt; &lt;a href="https://blog.prialto.com/3-reasons-why-zoom-provides-the-best-video-conferencing-software"&gt;defend&lt;/a&gt; &lt;a href="https://www.forbes.com/sites/rebeccabellan/2020/03/24/what-you-need-to-know-about-using-zoom/#3cee9d0d3284"&gt;Zoom&lt;/a&gt;. But they are mostly talking about Zoom's E2EE feature (that is not default), how people got creative with Virtual Background feature, Zoom's clean UI, ability to fake paying attention and its price. They either say nothing about Zooms privacy policy or even if they say something, it is not assuring in my opinion.&lt;/p&gt;
&lt;hr&gt;
&lt;h1&gt;Jitsi&lt;/h1&gt;
&lt;p&gt;Jitsi is an open source alternative to Video Calling (Conferencing) services. I will prove that Jitsi is much better than Zoom with only 1 sentence.&lt;/p&gt;
&lt;h1 style="text-align: center;"&gt;You can host Jitsi on your own server without relying on another entity&lt;/h1&gt;
&lt;p&gt;You want more?&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Jitsi has Clean UI that is familiar to that of Zoom. &lt;/li&gt;
&lt;li&gt;Jitsi &lt;strong&gt;doesn't&lt;/strong&gt; have looping video feature which helps students or emplyees fake paying attention. &lt;/li&gt;
&lt;li&gt;Jitsi is &lt;strong title="Free Open Source Software"&gt;FOSS&lt;/strong&gt; developed by &lt;a href="https://8x8.com"&gt;8x8&lt;/a&gt;. &lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Hosting Jitsi doesn't require a server with powerful CPU or GPU. Important resource is bandwidth. &lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Jitsi doesn't have virtual background but it instead has background blurring in development.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;👉️ Is it truely E2EE?&lt;br&gt;
&lt;strong&gt;This is what I understood from reading &lt;a href="https://github.com/jitsi/jitsi-meet/issues/409#issuecomment-260652107"&gt;this threat&lt;/a&gt;. Please correct me if I am wrong&lt;/strong&gt;&lt;br&gt;
Short answer is No.&lt;br&gt;
Long answer is: Just like in Zoom's case, connection between users and Jitsi VideoBridge (server) is encrypted. Server decrypts and encrypts everybody's stream for everybody else. But by having the control of Jitsi VideoBridge (server) by hosting it on your own server, you can assure that no other company/organization is holding your plain data except the recepient you are meeting with.&lt;br&gt;
That being said, Jitsi can establish P2P connection in rooms where there are only 2 people. This is a feature of WebRTC that Jitsi is built upon. It still &lt;strong&gt;isn't&lt;/strong&gt; true E2EE.&lt;/p&gt;
&lt;p&gt;👉️ Do anyone even use it?&lt;br&gt;
Glad you ask. Many companies banned use of Zoom and switched to alternatives such as Microsoft Teams, Skype, Hangout Meet and Jitsi. You probably won't see Jitsi's UI very often in the wild, but many companies use Jitsi VideoBridge as their backend for video conferences. Out of all the alternatives, only Jitsi allows self-hosting of server (Jitsi VideoBridge) AFAIK.&lt;/p&gt;
&lt;h2&gt;How to install Jitsi server?&lt;/h2&gt;
&lt;p&gt;I followed &lt;strong&gt;Nerd on the Street&lt;/strong&gt;'s &lt;a href="https://invidio.us/watch?v=IQRwtUamHQU"&gt;Host a Jitsi Meet Server&lt;/a&gt; installation tutorial. It took about 30 minute of my time (I am a noob) to get the server running. It takes another 10 minutes to secure it.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;When I started this blog post, I expected to list 2 reasons not to use WhatsApp and Zoom then start talking about why Jitsi is the answer to my family's Group Video Calling needs. To fact check what I knew about about them (Zoom in particular) I searched them on &lt;a href="https://en.wikipedia.org/wiki/Zoom_(software)" title="Read more about Zoom on WikiPedia"&gt;Wikipedia&lt;/a&gt;. I learned much more than I expected. I am sorry for turning this post into "Rant of Zoom". I hope you learned a thing or two too.&lt;/p&gt;
&lt;hr&gt;
&lt;h3&gt;Other side of the coin&lt;/h3&gt;
&lt;p&gt;If you think I would be better of sticking to WhatsApp or Zoom, tell me more. Even though I read many negative things about Zoom, I will try my best to keep an open mind and hear people seeing other side of the coin. I am a human and can make mistakes. If there is something important I should know to better understand what is going on, please reply to comment toot linked below.&lt;/p&gt;</content><category term="tech"></category><category term="privacy"></category><category term="jitsi"></category><category term="100DaysToOffload"></category></entry><entry><title>Digital Cleansing - NextCloud</title><link href="https://murtezayesil.me/digital-cleansing-nextcloud.html" rel="alternate"></link><published>2020-07-16T10:00:00+06:00</published><updated>2020-07-16T10:00:00+06:00</updated><author><name>Ali Murteza Yesil</name></author><id>tag:murtezayesil.me,2020-07-16:/digital-cleansing-nextcloud.html</id><summary type="html">&lt;p&gt;NextCloud has 4 things going for me. It is FOSS, it gives me control, it is convenient and it works.&lt;/p&gt;</summary><content type="html">&lt;p&gt;This article reflects my opinions and experiences with few file server services.&lt;/p&gt;
&lt;p&gt;TL;DR : I think NextCloud is a far superior product for the price.&lt;/p&gt;
&lt;p&gt;Digital cleansing is about reowning personal data and regaining control over how it is processed. When I started digital cleansing, I wanted to start from where the most of my data is stored. There are 2 such services, Google Drive and Photos. I started by looking for &lt;a href="https://alternativeto.net/software/google-drive/"&gt;alternatives&lt;/a&gt;. OwnCloud and NextCloud seemed like &lt;strong&gt;affordable&lt;/strong&gt; and &lt;strong title="Free Open Source Software"&gt;FOSS&lt;/strong&gt; alternatives that allow &lt;strong title="Can be hosted on personal (or home) computer/server without relying on another service provider"&gt;self-hosting&lt;/strong&gt;.&lt;/p&gt;
&lt;hr&gt;

2
output/feeds/rss.xml
View File

@ -1,2 +1,2 @@
<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0"><channel><title>Ali Murteza Yesil</title><link>https://murtezayesil.me/</link><description>Blog</description><lastBuildDate>Thu, 16 Jul 2020 10:00:00 +0600</lastBuildDate><item><title>Digital Cleansing - NextCloud</title><link>https://murtezayesil.me/digital-cleansing-nextcloud.html</link><description>&lt;p&gt;NextCloud has 4 things going for me. It is FOSS, it gives me control, it is convenient and it works.&lt;/p&gt;</description><dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Ali Murteza Yesil</dc:creator><pubDate>Thu, 16 Jul 2020 10:00:00 +0600</pubDate><guid isPermaLink="false">tag:murtezayesil.me,2020-07-16:/digital-cleansing-nextcloud.html</guid><category>Tech</category><category>privacy</category><category>nextcloud</category><category>100DaysToOffload</category></item><item><title>Digital Cleansing - Identifying services we use</title><link>https://murtezayesil.me/digital-cleansing-identifying-services-we-use.html</link><description>&lt;p&gt;Step 1 of digital cleansing is identifying services I want to drop&lt;/p&gt;</description><dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Ali Murteza Yesil</dc:creator><pubDate>Tue, 14 Jul 2020 03:40:00 +0600</pubDate><guid isPermaLink="false">tag:murtezayesil.me,2020-07-14:/digital-cleansing-identifying-services-we-use.html</guid><category>Tech</category><category>privacy</category><category>100DaysToOffload</category></item><item><title>Digital Cleansing For Better Privacy</title><link>https://murtezayesil.me/digital-cleansing-for-better-privacy.html</link><description>&lt;p&gt;I am documenting my journey to claiming my digital freedom. Previously called "My Master Plan For Privacy (of my family)".&lt;/p&gt;</description><dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Ali Murteza Yesil</dc:creator><pubDate>Sun, 12 Jul 2020 00:07:00 +0600</pubDate><guid isPermaLink="false">tag:murtezayesil.me,2020-07-12:/digital-cleansing-for-better-privacy.html</guid><category>Tech</category><category>privacy</category><category>100DaysToOffload</category></item><item><title>Privacy For The Whole Family</title><link>https://murtezayesil.me/privacy-for-the-whole-family.html</link><description>&lt;p&gt;My story of learning about wounds in my privacy and my first steps to cure it, helping my family for the same too.&lt;/p&gt;</description><dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Ali Murteza Yesil</dc:creator><pubDate>Fri, 10 Jul 2020 11:18:00 +0600</pubDate><guid isPermaLink="false">tag:murtezayesil.me,2020-07-10:/privacy-for-the-whole-family.html</guid><category>Tech</category><category>privacy</category><category>nextcloud</category><category>self-hosting</category><category>100DaysToOffload</category></item></channel></rss>
<rss version="2.0"><channel><title>Ali Murteza Yesil</title><link>https://murtezayesil.me/</link><description>Blog</description><lastBuildDate>Sat, 18 Jul 2020 00:00:00 +0600</lastBuildDate><item><title>Digital Cleansing - Jitsi</title><link>https://murtezayesil.me/digital-cleansing-jitsi.html</link><description>&lt;p&gt;My family and relatives live different countries and make good use of video calling services regardless of who is offering the service&lt;/p&gt;</description><dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Ali Murteza Yesil</dc:creator><pubDate>Sat, 18 Jul 2020 00:00:00 +0600</pubDate><guid isPermaLink="false">tag:murtezayesil.me,2020-07-18:/digital-cleansing-jitsi.html</guid><category>tech</category><category>privacy</category><category>jitsi</category><category>100DaysToOffload</category></item><item><title>Digital Cleansing - NextCloud</title><link>https://murtezayesil.me/digital-cleansing-nextcloud.html</link><description>&lt;p&gt;NextCloud has 4 things going for me. It is FOSS, it gives me control, it is convenient and it works.&lt;/p&gt;</description><dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Ali Murteza Yesil</dc:creator><pubDate>Thu, 16 Jul 2020 10:00:00 +0600</pubDate><guid isPermaLink="false">tag:murtezayesil.me,2020-07-16:/digital-cleansing-nextcloud.html</guid><category>Tech</category><category>privacy</category><category>nextcloud</category><category>100DaysToOffload</category></item><item><title>Digital Cleansing - Identifying services we use</title><link>https://murtezayesil.me/digital-cleansing-identifying-services-we-use.html</link><description>&lt;p&gt;Step 1 of digital cleansing is identifying services I want to drop&lt;/p&gt;</description><dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Ali Murteza Yesil</dc:creator><pubDate>Tue, 14 Jul 2020 03:40:00 +0600</pubDate><guid isPermaLink="false">tag:murtezayesil.me,2020-07-14:/digital-cleansing-identifying-services-we-use.html</guid><category>Tech</category><category>privacy</category><category>100DaysToOffload</category></item><item><title>Digital Cleansing For Better Privacy</title><link>https://murtezayesil.me/digital-cleansing-for-better-privacy.html</link><description>&lt;p&gt;I am documenting my journey to claiming my digital freedom. Previously called "My Master Plan For Privacy (of my family)".&lt;/p&gt;</description><dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Ali Murteza Yesil</dc:creator><pubDate>Sun, 12 Jul 2020 00:07:00 +0600</pubDate><guid isPermaLink="false">tag:murtezayesil.me,2020-07-12:/digital-cleansing-for-better-privacy.html</guid><category>Tech</category><category>privacy</category><category>100DaysToOffload</category></item><item><title>Privacy For The Whole Family</title><link>https://murtezayesil.me/privacy-for-the-whole-family.html</link><description>&lt;p&gt;My story of learning about wounds in my privacy and my first steps to cure it, helping my family for the same too.&lt;/p&gt;</description><dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Ali Murteza Yesil</dc:creator><pubDate>Fri, 10 Jul 2020 11:18:00 +0600</pubDate><guid isPermaLink="false">tag:murtezayesil.me,2020-07-10:/privacy-for-the-whole-family.html</guid><category>Tech</category><category>privacy</category><category>nextcloud</category><category>self-hosting</category><category>100DaysToOffload</category></item></channel></rss>

83
output/feeds/tech.atom.xml
View File

@ -1,5 +1,86 @@
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Ali Murteza Yesil - Tech</title><link href="https://murtezayesil.me/" rel="alternate"></link><link href="https://murtezayesil.me/feeds/tech.atom.xml" rel="self"></link><id>https://murtezayesil.me/</id><updated>2020-07-16T10:00:00+06:00</updated><subtitle>Blog</subtitle><entry><title>Digital Cleansing - NextCloud</title><link href="https://murtezayesil.me/digital-cleansing-nextcloud.html" rel="alternate"></link><published>2020-07-16T10:00:00+06:00</published><updated>2020-07-16T10:00:00+06:00</updated><author><name>Ali Murteza Yesil</name></author><id>tag:murtezayesil.me,2020-07-16:/digital-cleansing-nextcloud.html</id><summary type="html">&lt;p&gt;NextCloud has 4 things going for me. It is FOSS, it gives me control, it is convenient and it works.&lt;/p&gt;</summary><content type="html">&lt;p&gt;This article reflects my opinions and experiences with few file server services.&lt;/p&gt;
<feed xmlns="http://www.w3.org/2005/Atom"><title>Ali Murteza Yesil - tech</title><link href="https://murtezayesil.me/" rel="alternate"></link><link href="https://murtezayesil.me/feeds/tech.atom.xml" rel="self"></link><id>https://murtezayesil.me/</id><updated>2020-07-18T00:00:00+06:00</updated><subtitle>Blog</subtitle><entry><title>Digital Cleansing - Jitsi</title><link href="https://murtezayesil.me/digital-cleansing-jitsi.html" rel="alternate"></link><published>2020-07-18T00:00:00+06:00</published><updated>2020-07-18T00:00:00+06:00</updated><author><name>Ali Murteza Yesil</name></author><id>tag:murtezayesil.me,2020-07-18:/digital-cleansing-jitsi.html</id><summary type="html">&lt;p&gt;My family and relatives live different countries and make good use of video calling services regardless of who is offering the service&lt;/p&gt;</summary><content type="html">&lt;p&gt;My family is spread into 3 countries in 3 different continents. If we include my close relatives too, these numbers go even higher. It is important to stay in contact with your family and relatives in Turkish culture and we try to do that. Let it be weekend Zoom meetings (in 40 minute chunks :) or phone calls on WhatsApp (owned by Facebook), we heavily rely on third party services for communication. After launching NextCloud for my family to use, I what I wanted to tackle the &lt;strong&gt;Communication&lt;/strong&gt; problem.&lt;/p&gt;
&lt;p&gt;We have 3 kinds of communication needs in the family:&lt;br&gt;
1. Text messages&lt;br&gt;
2. Voice Calls&lt;br&gt;
3. (Mostly group) Video Calls&lt;/p&gt;
&lt;hr&gt;
&lt;h3&gt;Text Messaging &amp;amp; Voice Calls&lt;/h3&gt;
&lt;p&gt;I have been usign Telegram wherever I can for few years. Its UI is very similar to that of WhatsApp which I hope will ease the transition for my relatives. Since it also has voice calling, I don't need to look for another service for that. I love hitting two birds with one stone (only in metaphor) 😄️ &lt;br&gt;
That being said, I won't actually talk much about WhatsApp. Facebook bought WhatsApp back in February 2014. I believe that was a great deal for Facebook and a terrible deal for users.&lt;br&gt;
I know I mentioned Telegram but there is one more great alternative to WhatsApp (or even Telegram). It is called &lt;a href="https://signal.org/" title="Official page"&gt;Signal&lt;/a&gt; and it is developed by a non-profit founded by Co-founder of WhatsApp, Brian Acton. It is one freaking secure messaging app 😎️&lt;/p&gt;
&lt;hr&gt;
&lt;h3&gt;Group Video Calls&lt;/h3&gt;
&lt;p&gt;My families' and relatives' current choice of Group Video Calling service is Zoom, just like millions of other people who needed a video calling service for remote work, distance education and calling their loved ones. But Zoom seemingly popped out of nowhere for many people. I wanted to learn more about who Zoom is and how trustable it is. I hope my findings will help you to make educated decisions.&lt;/p&gt;
&lt;p&gt;Zoom was &lt;a href="https://en.wikipedia.org/wiki/Zoom_(software)#History" title="History of Zoom on Wikipedia"&gt;launched in September 2012&lt;/a&gt;, reached &lt;a href="https://www.tmcnet.com/topics/articles/2013/05/23/339279-zoom-video-communications-reaches-1-million-participants.htm" title="Zoom Video Communications Reaches 1 Million Participants - TMCnet"&gt;1 Million user base in January 2013&lt;/a&gt; and rapidly grow during global quarantine to a point that Zoom got &lt;a href="https://web.archive.org/web/20200422125131/https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak" title="Zoom booms as demand for video-conferencing tech grows - The Guardian [archive]"&gt;2.13 Million downloads on March 23rd 2020&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;After some research (reading Wikipedia) I found that Zoom had many wounds that hurt many of its users. Given that Zoom reached 1 Million userbase 5 months after launching (from September 2012 to January 2013) and they were charging 9.99$/month, I expect Zoom to invest into infrastructure and app security. I am saying this because they clearly had time to fix issues in their apps before the pandemic arrived. Here are few examples to show how Zoom messed up:&lt;br&gt;
&lt;strong&gt;Windows&lt;/strong&gt; : &lt;a href="https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/"&gt;Attackers can use Zoom to steal users Windows credentials with no warning - ars technica&lt;/a&gt;&lt;br&gt;
&lt;strong&gt;MacOS&lt;/strong&gt; : &lt;a href="https://threatpost.com/zoom-zero-day-mac-webcam-hijacking/146317/"&gt;Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking - threat post&lt;/a&gt;. This prompted Apple to use its MRT (Malware Removal Tool) to remotely delete Zoom from Mac computers.&lt;br&gt;
&lt;strong&gt;MacOS&lt;/strong&gt; : &lt;a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5"&gt;Zoom Zero Day: 4+ Million Webcams &amp;amp; maybe an RCE? Just get them to visit your website! - InfoSec Write-ups&lt;/a&gt; allowing Zoom to reinstall itself after being uninstalled and join a video call with camera activated without user's permission.&lt;br&gt;
&lt;strong&gt;MacOS&lt;/strong&gt; : &lt;a href="https://nitter.net/c1truz_/status/1244737672930824193"&gt;Zoom App installation uses the same method used by malwares to gain root priviledges - Twitter thread on Nitter&lt;/a&gt;&lt;br&gt;
&lt;strong&gt;iOS&lt;/strong&gt; : &lt;a href="https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account"&gt;Zoom iOS App Sends Data to Facebook Even if You Dont Have a Facebook Account - Vice&lt;/a&gt;&lt;br&gt;
&lt;strong&gt;Android&lt;/strong&gt; : I didn't find any news about Zoom Android App vulnerabilities. But if they used Facebook tracker in iOS app, I don't see any reason why zoom wouldn't use the same on Android
&lt;strong&gt;Linux&lt;/strong&gt; : No vulnerability was found YET. Remember that &lt;a href="https://netmarketshare.com/operating-system-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222019-08%22%2C%22dateEnd%22%3A%222020-06%22%2C%22plotKeys%22%3A%5B%7B%22platform%22%3A%22Linux%22%7D%2C%7B%22platform%22%3A%22Mac%20OS%22%7D%2C%7B%22platform%22%3A%22Chrome%20OS%22%7D%5D%2C%22segments%22%3A%22-1000%22%7D" title="Less than 4%"&gt;Linux desktop has a small marketshare&lt;/a&gt; and apps for it are less likely to be targeted by hackers.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;"Zoom has just had so many missteps."
- Patrick Wardle, Jamf&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;You can read about Zoom's vulnerabilities on MacOS and iOS in detail in &lt;a href="https://objective-see.com/blog/blog_0x56.html" title="The 'S' in Zoom, Stands for Security - Objective-See"&gt;this blog post of Objective-See&lt;/a&gt;. &lt;/p&gt;
&lt;p&gt;These issues were &lt;strong&gt;FIXED&lt;/strong&gt; by Zoom. But Zoom took long time to responde some of the cyber security personel as if it didn't care about the user privacy and security. I only mentioned the vulnerabilities in Zoom's apps. Zoom also &lt;a href="https://www.axios.com/zoom-closes-chinese-user-account-tiananmen-square-f218fed1-69af-4bdd-aac4-7eaf67f34084.html" title="Zoom closed account of U.S.-based Chinese activist “to comply with local law” - Axios"&gt;contributed to censorship&lt;/a&gt; by closing human rights activist Zhou Fengsuo's paid account and closing Social activist Lee Cheuk Yan's account upon China's request.&lt;/p&gt;
&lt;p&gt;👉️ Since those vulnerabilities are fixed it should be safe to use Zoom, right?&lt;br&gt;
Unfortunately, NO. Even if apps became less vulnerable, users still are through weak privacy practices and use of third party trackers. Zoom's Privacy Policy is &lt;a href="https://zoom.us/privacy#_Toc44414842"&gt;not assuring enough&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;👉️ They introduced end-to-end encryption, E2EE. Is it insecure encryption?&lt;br&gt;
AES-256 ECB algorithm used for E2EE is one of the greatest encryption algorithms out there. But it isn't enabled by default and enabling E2EE disables many features such as screensharing, which doesn't incentivise people to use E2EE. Both enterprise customers and teachers would want to use screensharing, thus not using E2EE.&lt;/p&gt;
&lt;p&gt;👉️ They say Zoom encrypts every meeting by default. Are they lying?&lt;br&gt;
No, they are not. But they aren't telling the whole story either. When you start a Zoom meeting, your device establishes a connection to Zoom over &lt;a href="https://en.wikipedia.org/wiki/Https#Security"&gt;HTTPS&lt;/a&gt;. Meaning data is encrypted during transmission between you and Zoom. Data gets decrypted in Zoom and encrypted again before it goes to whoever you are meeting with. This is done because everybody in the meeting has different &lt;a href="https://en.wikipedia.org/wiki/Session_key"&gt;session key&lt;/a&gt; for encryption. Your meeting is apparent to Zoom, not hidden from it.&lt;/p&gt;
&lt;p&gt;👉️ Zoom has faced &lt;a href="https://en.wikipedia.org/wiki/Zero-day_(computing)" title="Learn about zero day attacks on Wikipedia"&gt;0-day attacks&lt;/a&gt; which weren't fair.&lt;br&gt;
Not a question but I get your point. When a cyber security personal discovers a vulnerability, (s)he informs the vendor about the vulnerability in disguise and asks for bounty. Vendor checks if that is a legit vulnerability or a scam. Then they work together to fix the issue and vendor pays the bounty. Many companies have a &lt;a href="https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html" title="Intel offers upto 100,000$"&gt;bug&lt;/a&gt; &lt;a href="https://hackerone.com/verizonmedia?type=team" title="Verizon offers upto 15,000$"&gt;bounty&lt;/a&gt; &lt;a href="https://www.microsoft.com/en-us/msrc/bounty" title="Microsoft offers upto 100,000$"&gt;program&lt;/a&gt;.&lt;br&gt;
A cyber security personal may choose to release the vulnerability to public for it to be exploited by other people, which turns a vulnerability into zero day attack. This action incentivises vendor to fix that issue immediately since issue became well-known.&lt;br&gt;
Zoom had time since 2013 for testing its softwares properly. Proper testing would uncover those bugs before hackers did. Any company that is careless about security and privacy of its customers' deserves to be pinched to start acting.&lt;/p&gt;
&lt;p&gt;What if I am forced to Zoom by my employer/school/family?&lt;br&gt;
Desktop/laptop users:&lt;br&gt;
1. Windows: Use virtual machine and apply one of the below Linux methods&lt;br&gt;
2. MacOS: Use virtual machine and apply one of the below Linux methods&lt;br&gt;
3. Linux: Install Linux Live image on a USB and boot into it everytime you need to Zoom. Install Zoom into that Live environment. Zoom will only be able to access what is in that Live environment. Shutting down a Live environment deletes everything that was installed in that session.&lt;br&gt;
4. Linux: &lt;a href="https://ar.al/2020/06/25/how-to-use-the-zoom-malware-safely-on-linux-if-you-absolutely-have-to/" title="How to use the Zoom malware safely on Linux if you absolutely have to - Aral Balkan"&gt;Install Zoom into a firejail&lt;/a&gt;, greatly limiting what it can reach.&lt;br&gt;
Mobile users:&lt;br&gt;
1. Android: &lt;a href="https://www.howtogeek.com/333484/how-to-set-up-multiple-user-profiles-on-android/" title="This process maybe different for different brands"&gt;Create a restricted user&lt;/a&gt; on your phone and install Zoom there. Not in your main user.
2. Android: If you can, use Zoom on Linux as described above.
3. iOS: Don't give it permissions if you don't need them. Don't let it run in background. Uninstall after using.
4. iOS: If you can, use Zoom on Linux as described above.&lt;/p&gt;
&lt;p&gt;PS: I don't own a Mac, iPhone or Windows PC. But since Zoom on those platforms seem to be the affected most, I recommend everybody to use Zoom on Linux in a firejail if you absolutely have to.&lt;/p&gt;
&lt;p&gt;I also wanted to read articles &lt;a href="https://medium.com/@rowantrollope/beyond-the-noise-7-reasons-its-safe-to-run-zoom-9a2e639b13ec"&gt;that&lt;/a&gt; &lt;a href="https://blog.prialto.com/3-reasons-why-zoom-provides-the-best-video-conferencing-software"&gt;defend&lt;/a&gt; &lt;a href="https://www.forbes.com/sites/rebeccabellan/2020/03/24/what-you-need-to-know-about-using-zoom/#3cee9d0d3284"&gt;Zoom&lt;/a&gt;. But they are mostly talking about Zoom's E2EE feature (that is not default), how people got creative with Virtual Background feature, Zoom's clean UI, ability to fake paying attention and its price. They either say nothing about Zooms privacy policy or even if they say something, it is not assuring in my opinion.&lt;/p&gt;
&lt;hr&gt;
&lt;h1&gt;Jitsi&lt;/h1&gt;
&lt;p&gt;Jitsi is an open source alternative to Video Calling (Conferencing) services. I will prove that Jitsi is much better than Zoom with only 1 sentence.&lt;/p&gt;
&lt;h1 style="text-align: center;"&gt;You can host Jitsi on your own server without relying on another entity&lt;/h1&gt;
&lt;p&gt;You want more?&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Jitsi has Clean UI that is familiar to that of Zoom. &lt;/li&gt;
&lt;li&gt;Jitsi &lt;strong&gt;doesn't&lt;/strong&gt; have looping video feature which helps students or emplyees fake paying attention. &lt;/li&gt;
&lt;li&gt;Jitsi is &lt;strong title="Free Open Source Software"&gt;FOSS&lt;/strong&gt; developed by &lt;a href="https://8x8.com"&gt;8x8&lt;/a&gt;. &lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Hosting Jitsi doesn't require a server with powerful CPU or GPU. Important resource is bandwidth. &lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Jitsi doesn't have virtual background but it instead has background blurring in development.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;👉️ Is it truely E2EE?&lt;br&gt;
&lt;strong&gt;This is what I understood from reading &lt;a href="https://github.com/jitsi/jitsi-meet/issues/409#issuecomment-260652107"&gt;this threat&lt;/a&gt;. Please correct me if I am wrong&lt;/strong&gt;&lt;br&gt;
Short answer is No.&lt;br&gt;
Long answer is: Just like in Zoom's case, connection between users and Jitsi VideoBridge (server) is encrypted. Server decrypts and encrypts everybody's stream for everybody else. But by having the control of Jitsi VideoBridge (server) by hosting it on your own server, you can assure that no other company/organization is holding your plain data except the recepient you are meeting with.&lt;br&gt;
That being said, Jitsi can establish P2P connection in rooms where there are only 2 people. This is a feature of WebRTC that Jitsi is built upon. It still &lt;strong&gt;isn't&lt;/strong&gt; true E2EE.&lt;/p&gt;
&lt;p&gt;👉️ Do anyone even use it?&lt;br&gt;
Glad you ask. Many companies banned use of Zoom and switched to alternatives such as Microsoft Teams, Skype, Hangout Meet and Jitsi. You probably won't see Jitsi's UI very often in the wild, but many companies use Jitsi VideoBridge as their backend for video conferences. Out of all the alternatives, only Jitsi allows self-hosting of server (Jitsi VideoBridge) AFAIK.&lt;/p&gt;
&lt;h2&gt;How to install Jitsi server?&lt;/h2&gt;
&lt;p&gt;I followed &lt;strong&gt;Nerd on the Street&lt;/strong&gt;'s &lt;a href="https://invidio.us/watch?v=IQRwtUamHQU"&gt;Host a Jitsi Meet Server&lt;/a&gt; installation tutorial. It took about 30 minute of my time (I am a noob) to get the server running. It takes another 10 minutes to secure it.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;When I started this blog post, I expected to list 2 reasons not to use WhatsApp and Zoom then start talking about why Jitsi is the answer to my family's Group Video Calling needs. To fact check what I knew about about them (Zoom in particular) I searched them on &lt;a href="https://en.wikipedia.org/wiki/Zoom_(software)" title="Read more about Zoom on WikiPedia"&gt;Wikipedia&lt;/a&gt;. I learned much more than I expected. I am sorry for turning this post into "Rant of Zoom". I hope you learned a thing or two too.&lt;/p&gt;
&lt;hr&gt;
&lt;h3&gt;Other side of the coin&lt;/h3&gt;
&lt;p&gt;If you think I would be better of sticking to WhatsApp or Zoom, tell me more. Even though I read many negative things about Zoom, I will try my best to keep an open mind and hear people seeing other side of the coin. I am a human and can make mistakes. If there is something important I should know to better understand what is going on, please reply to comment toot linked below.&lt;/p&gt;</content><category term="tech"></category><category term="privacy"></category><category term="jitsi"></category><category term="100DaysToOffload"></category></entry><entry><title>Digital Cleansing - NextCloud</title><link href="https://murtezayesil.me/digital-cleansing-nextcloud.html" rel="alternate"></link><published>2020-07-16T10:00:00+06:00</published><updated>2020-07-16T10:00:00+06:00</updated><author><name>Ali Murteza Yesil</name></author><id>tag:murtezayesil.me,2020-07-16:/digital-cleansing-nextcloud.html</id><summary type="html">&lt;p&gt;NextCloud has 4 things going for me. It is FOSS, it gives me control, it is convenient and it works.&lt;/p&gt;</summary><content type="html">&lt;p&gt;This article reflects my opinions and experiences with few file server services.&lt;/p&gt;
&lt;p&gt;TL;DR : I think NextCloud is a far superior product for the price.&lt;/p&gt;
&lt;p&gt;Digital cleansing is about reowning personal data and regaining control over how it is processed. When I started digital cleansing, I wanted to start from where the most of my data is stored. There are 2 such services, Google Drive and Photos. I started by looking for &lt;a href="https://alternativeto.net/software/google-drive/"&gt;alternatives&lt;/a&gt;. OwnCloud and NextCloud seemed like &lt;strong&gt;affordable&lt;/strong&gt; and &lt;strong title="Free Open Source Software"&gt;FOSS&lt;/strong&gt; alternatives that allow &lt;strong title="Can be hosted on personal (or home) computer/server without relying on another service provider"&gt;self-hosting&lt;/strong&gt;.&lt;/p&gt;
&lt;hr&gt;

139
output/index.html
View File

@ -40,49 +40,126 @@
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->
<aside id="featured" class="body">
<article>
<h1 class="entry-title"><a href="https://murtezayesil.me/digital-cleansing-nextcloud.html">Digital Cleansing - NextCloud</a></h1>
<h1 class="entry-title"><a href="https://murtezayesil.me/digital-cleansing-jitsi.html">Digital Cleansing - Jitsi</a></h1>
<footer class="post-info">
<span>Sat 18 July 2020</span>
<span>| in <a href="https://murtezayesil.me/category/tech.html">tech</a></span>
<span>| tags: <a href="https://murtezayesil.me/tag/privacy.html">privacy</a><a href="https://murtezayesil.me/tag/jitsi.html">jitsi</a><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a></span> <span>| Day <strong>5</strong> of #100DaysToOffload</span>
</footer><!-- /.post-info --><p>My family is spread into 3 countries in 3 different continents. If we include my close relatives too, these numbers go even higher. It is important to stay in contact with your family and relatives in Turkish culture and we try to do that. Let it be weekend Zoom meetings (in 40 minute chunks :) or phone calls on WhatsApp (owned by Facebook), we heavily rely on third party services for communication. After launching NextCloud for my family to use, I what I wanted to tackle the <strong>Communication</strong> problem.</p>
<p>We have 3 kinds of communication needs in the family:<br>
1. Text messages<br>
2. Voice Calls<br>
3. (Mostly group) Video Calls</p>
<hr>
<h3>Text Messaging &amp; Voice Calls</h3>
<p>I have been usign Telegram wherever I can for few years. Its UI is very similar to that of WhatsApp which I hope will ease the transition for my relatives. Since it also has voice calling, I don't need to look for another service for that. I love hitting two birds with one stone (only in metaphor) 😄️ <br>
That being said, I won't actually talk much about WhatsApp. Facebook bought WhatsApp back in February 2014. I believe that was a great deal for Facebook and a terrible deal for users.<br>
I know I mentioned Telegram but there is one more great alternative to WhatsApp (or even Telegram). It is called <a href="https://signal.org/" title="Official page">Signal</a> and it is developed by a non-profit founded by Co-founder of WhatsApp, Brian Acton. It is one freaking secure messaging app 😎️</p>
<hr>
<h3>Group Video Calls</h3>
<p>My families' and relatives' current choice of Group Video Calling service is Zoom, just like millions of other people who needed a video calling service for remote work, distance education and calling their loved ones. But Zoom seemingly popped out of nowhere for many people. I wanted to learn more about who Zoom is and how trustable it is. I hope my findings will help you to make educated decisions.</p>
<p>Zoom was <a href="https://en.wikipedia.org/wiki/Zoom_(software)#History" title="History of Zoom on Wikipedia">launched in September 2012</a>, reached <a href="https://www.tmcnet.com/topics/articles/2013/05/23/339279-zoom-video-communications-reaches-1-million-participants.htm" title="Zoom Video Communications Reaches 1 Million Participants - TMCnet">1 Million user base in January 2013</a> and rapidly grow during global quarantine to a point that Zoom got <a href="https://web.archive.org/web/20200422125131/https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak" title="Zoom booms as demand for video-conferencing tech grows - The Guardian [archive]">2.13 Million downloads on March 23rd 2020</a>.</p>
<p>After some research (reading Wikipedia) I found that Zoom had many wounds that hurt many of its users. Given that Zoom reached 1 Million userbase 5 months after launching (from September 2012 to January 2013) and they were charging 9.99$/month, I expect Zoom to invest into infrastructure and app security. I am saying this because they clearly had time to fix issues in their apps before the pandemic arrived. Here are few examples to show how Zoom messed up:<br>
<strong>Windows</strong> : <a href="https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/">Attackers can use Zoom to steal users Windows credentials with no warning - ars technica</a><br>
<strong>MacOS</strong> : <a href="https://threatpost.com/zoom-zero-day-mac-webcam-hijacking/146317/">Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking - threat post</a>. This prompted Apple to use its MRT (Malware Removal Tool) to remotely delete Zoom from Mac computers.<br>
<strong>MacOS</strong> : <a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5">Zoom Zero Day: 4+ Million Webcams &amp; maybe an RCE? Just get them to visit your website! - InfoSec Write-ups</a> allowing Zoom to reinstall itself after being uninstalled and join a video call with camera activated without user's permission.<br>
<strong>MacOS</strong> : <a href="https://nitter.net/c1truz_/status/1244737672930824193">Zoom App installation uses the same method used by malwares to gain root priviledges - Twitter thread on Nitter</a><br>
<strong>iOS</strong> : <a href="https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account">Zoom iOS App Sends Data to Facebook Even if You Dont Have a Facebook Account - Vice</a><br>
<strong>Android</strong> : I didn't find any news about Zoom Android App vulnerabilities. But if they used Facebook tracker in iOS app, I don't see any reason why zoom wouldn't use the same on Android
<strong>Linux</strong> : No vulnerability was found YET. Remember that <a href="https://netmarketshare.com/operating-system-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222019-08%22%2C%22dateEnd%22%3A%222020-06%22%2C%22plotKeys%22%3A%5B%7B%22platform%22%3A%22Linux%22%7D%2C%7B%22platform%22%3A%22Mac%20OS%22%7D%2C%7B%22platform%22%3A%22Chrome%20OS%22%7D%5D%2C%22segments%22%3A%22-1000%22%7D" title="Less than 4%">Linux desktop has a small marketshare</a> and apps for it are less likely to be targeted by hackers.</p>
<blockquote>
<p>"Zoom has just had so many missteps."
- Patrick Wardle, Jamf</p>
</blockquote>
<p>You can read about Zoom's vulnerabilities on MacOS and iOS in detail in <a href="https://objective-see.com/blog/blog_0x56.html" title="The 'S' in Zoom, Stands for Security - Objective-See">this blog post of Objective-See</a>. </p>
<p>These issues were <strong>FIXED</strong> by Zoom. But Zoom took long time to responde some of the cyber security personel as if it didn't care about the user privacy and security. I only mentioned the vulnerabilities in Zoom's apps. Zoom also <a href="https://www.axios.com/zoom-closes-chinese-user-account-tiananmen-square-f218fed1-69af-4bdd-aac4-7eaf67f34084.html" title="Zoom closed account of U.S.-based Chinese activist “to comply with local law” - Axios">contributed to censorship</a> by closing human rights activist Zhou Fengsuo's paid account and closing Social activist Lee Cheuk Yan's account upon China's request.</p>
<p>👉️ Since those vulnerabilities are fixed it should be safe to use Zoom, right?<br>
Unfortunately, NO. Even if apps became less vulnerable, users still are through weak privacy practices and use of third party trackers. Zoom's Privacy Policy is <a href="https://zoom.us/privacy#_Toc44414842">not assuring enough</a>.</p>
<p>👉️ They introduced end-to-end encryption, E2EE. Is it insecure encryption?<br>
AES-256 ECB algorithm used for E2EE is one of the greatest encryption algorithms out there. But it isn't enabled by default and enabling E2EE disables many features such as screensharing, which doesn't incentivise people to use E2EE. Both enterprise customers and teachers would want to use screensharing, thus not using E2EE.</p>
<p>👉️ They say Zoom encrypts every meeting by default. Are they lying?<br>
No, they are not. But they aren't telling the whole story either. When you start a Zoom meeting, your device establishes a connection to Zoom over <a href="https://en.wikipedia.org/wiki/Https#Security">HTTPS</a>. Meaning data is encrypted during transmission between you and Zoom. Data gets decrypted in Zoom and encrypted again before it goes to whoever you are meeting with. This is done because everybody in the meeting has different <a href="https://en.wikipedia.org/wiki/Session_key">session key</a> for encryption. Your meeting is apparent to Zoom, not hidden from it.</p>
<p>👉️ Zoom has faced <a href="https://en.wikipedia.org/wiki/Zero-day_(computing)" title="Learn about zero day attacks on Wikipedia">0-day attacks</a> which weren't fair.<br>
Not a question but I get your point. When a cyber security personal discovers a vulnerability, (s)he informs the vendor about the vulnerability in disguise and asks for bounty. Vendor checks if that is a legit vulnerability or a scam. Then they work together to fix the issue and vendor pays the bounty. Many companies have a <a href="https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html" title="Intel offers upto 100,000$">bug</a> <a href="https://hackerone.com/verizonmedia?type=team" title="Verizon offers upto 15,000$">bounty</a> <a href="https://www.microsoft.com/en-us/msrc/bounty" title="Microsoft offers upto 100,000$">program</a>.<br>
A cyber security personal may choose to release the vulnerability to public for it to be exploited by other people, which turns a vulnerability into zero day attack. This action incentivises vendor to fix that issue immediately since issue became well-known.<br>
Zoom had time since 2013 for testing its softwares properly. Proper testing would uncover those bugs before hackers did. Any company that is careless about security and privacy of its customers' deserves to be pinched to start acting.</p>
<p>What if I am forced to Zoom by my employer/school/family?<br>
Desktop/laptop users:<br>
1. Windows: Use virtual machine and apply one of the below Linux methods<br>
2. MacOS: Use virtual machine and apply one of the below Linux methods<br>
3. Linux: Install Linux Live image on a USB and boot into it everytime you need to Zoom. Install Zoom into that Live environment. Zoom will only be able to access what is in that Live environment. Shutting down a Live environment deletes everything that was installed in that session.<br>
4. Linux: <a href="https://ar.al/2020/06/25/how-to-use-the-zoom-malware-safely-on-linux-if-you-absolutely-have-to/" title="How to use the Zoom malware safely on Linux if you absolutely have to - Aral Balkan">Install Zoom into a firejail</a>, greatly limiting what it can reach.<br>
Mobile users:<br>
1. Android: <a href="https://www.howtogeek.com/333484/how-to-set-up-multiple-user-profiles-on-android/" title="This process maybe different for different brands">Create a restricted user</a> on your phone and install Zoom there. Not in your main user.
2. Android: If you can, use Zoom on Linux as described above.
3. iOS: Don't give it permissions if you don't need them. Don't let it run in background. Uninstall after using.
4. iOS: If you can, use Zoom on Linux as described above.</p>
<p>PS: I don't own a Mac, iPhone or Windows PC. But since Zoom on those platforms seem to be the affected most, I recommend everybody to use Zoom on Linux in a firejail if you absolutely have to.</p>
<p>I also wanted to read articles <a href="https://medium.com/@rowantrollope/beyond-the-noise-7-reasons-its-safe-to-run-zoom-9a2e639b13ec">that</a> <a href="https://blog.prialto.com/3-reasons-why-zoom-provides-the-best-video-conferencing-software">defend</a> <a href="https://www.forbes.com/sites/rebeccabellan/2020/03/24/what-you-need-to-know-about-using-zoom/#3cee9d0d3284">Zoom</a>. But they are mostly talking about Zoom's E2EE feature (that is not default), how people got creative with Virtual Background feature, Zoom's clean UI, ability to fake paying attention and its price. They either say nothing about Zooms privacy policy or even if they say something, it is not assuring in my opinion.</p>
<hr>
<h1>Jitsi</h1>
<p>Jitsi is an open source alternative to Video Calling (Conferencing) services. I will prove that Jitsi is much better than Zoom with only 1 sentence.</p>
<h1 style="text-align: center;">You can host Jitsi on your own server without relying on another entity</h1>
<p>You want more?</p>
<ol>
<li>Jitsi has Clean UI that is familiar to that of Zoom. </li>
<li>Jitsi <strong>doesn't</strong> have looping video feature which helps students or emplyees fake paying attention. </li>
<li>Jitsi is <strong title="Free Open Source Software">FOSS</strong> developed by <a href="https://8x8.com">8x8</a>. </li>
<li>
<p>Hosting Jitsi doesn't require a server with powerful CPU or GPU. Important resource is bandwidth. </p>
</li>
<li>
<p>Jitsi doesn't have virtual background but it instead has background blurring in development.</p>
</li>
</ol>
<p>👉️ Is it truely E2EE?<br>
<strong>This is what I understood from reading <a href="https://github.com/jitsi/jitsi-meet/issues/409#issuecomment-260652107">this threat</a>. Please correct me if I am wrong</strong><br>
Short answer is No.<br>
Long answer is: Just like in Zoom's case, connection between users and Jitsi VideoBridge (server) is encrypted. Server decrypts and encrypts everybody's stream for everybody else. But by having the control of Jitsi VideoBridge (server) by hosting it on your own server, you can assure that no other company/organization is holding your plain data except the recepient you are meeting with.<br>
That being said, Jitsi can establish P2P connection in rooms where there are only 2 people. This is a feature of WebRTC that Jitsi is built upon. It still <strong>isn't</strong> true E2EE.</p>
<p>👉️ Do anyone even use it?<br>
Glad you ask. Many companies banned use of Zoom and switched to alternatives such as Microsoft Teams, Skype, Hangout Meet and Jitsi. You probably won't see Jitsi's UI very often in the wild, but many companies use Jitsi VideoBridge as their backend for video conferences. Out of all the alternatives, only Jitsi allows self-hosting of server (Jitsi VideoBridge) AFAIK.</p>
<h2>How to install Jitsi server?</h2>
<p>I followed <strong>Nerd on the Street</strong>'s <a href="https://invidio.us/watch?v=IQRwtUamHQU">Host a Jitsi Meet Server</a> installation tutorial. It took about 30 minute of my time (I am a noob) to get the server running. It takes another 10 minutes to secure it.</p>
<hr>
<p>When I started this blog post, I expected to list 2 reasons not to use WhatsApp and Zoom then start talking about why Jitsi is the answer to my family's Group Video Calling needs. To fact check what I knew about about them (Zoom in particular) I searched them on <a href="https://en.wikipedia.org/wiki/Zoom_(software)" title="Read more about Zoom on WikiPedia">Wikipedia</a>. I learned much more than I expected. I am sorry for turning this post into "Rant of Zoom". I hope you learned a thing or two too.</p>
<hr>
<h3>Other side of the coin</h3>
<p>If you think I would be better of sticking to WhatsApp or Zoom, tell me more. Even though I read many negative things about Zoom, I will try my best to keep an open mind and hear people seeing other side of the coin. I am a human and can make mistakes. If there is something important I should know to better understand what is going on, please reply to comment toot linked below.</p><!-- Comments -->
<hr>
<h2>Comments</h2>
<p>Toot on <a href="https://fosstodon.org/@murtezayesil/104535970036319662">this thread</a> to comment. This blog is a static site. Comments won't appear here.</p>
</article>
</aside><!-- /#featured -->
<section id="content" class="body">
<h1>Other articles</h1>
<ol id="posts-list" class="hfeed">
<li><article class="hentry">
<header>
<h1><a href="https://murtezayesil.me/digital-cleansing-nextcloud.html" rel="bookmark"
title="Permalink to Digital Cleansing - NextCloud">Digital Cleansing - NextCloud</a></h1>
</header>
<div class="entry-content">
<footer class="post-info">
<span>Thu 16 July 2020</span>
<span>| in <a href="https://murtezayesil.me/category/tech.html">Tech</a></span>
<span>| tags: <a href="https://murtezayesil.me/tag/privacy.html">privacy</a><a href="https://murtezayesil.me/tag/nextcloud.html">nextcloud</a><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a></span> <span>| Day <strong>4</strong> of #100DaysToOffload</span>
</footer><!-- /.post-info --><p>This article reflects my opinions and experiences with few file server services.</p>
<p>TL;DR : I think NextCloud is a far superior product for the price.</p>
<p>Digital cleansing is about reowning personal data and regaining control over how it is processed. When I started digital cleansing, I wanted to start from where the most of my data is stored. There are 2 such services, Google Drive and Photos. I started by looking for <a href="https://alternativeto.net/software/google-drive/">alternatives</a>. OwnCloud and NextCloud seemed like <strong>affordable</strong> and <strong title="Free Open Source Software">FOSS</strong> alternatives that allow <strong title="Can be hosted on personal (or home) computer/server without relying on another service provider">self-hosting</strong>.</p>
<hr>
<h2>Owncloud</h2>
<p>I started my journey by renting a VM on Digital Ocean, droplet. I installed <a href="https://en.wikipedia.org/wiki/LAMP_(software_bundle)" title="Minimum set of softwares needed for a working web service">LAMP stack</a> and <a href="https://en.wikipedia.org/wiki/OwnCloud" title="File server service">OwnCloud</a>. As a new comer to OwnCloud, I started to click every button in every menu to discover and learn more about OwnCloud. <a href="https://marketplace.owncloud.com/">Marketplace</a>, a feature manager to add/remove more features, has many stuff that can appeal to enterprises and teams working from home. Next, I browsed the <a href="https://search.f-droid.org/?q=owncloud" title="Apps for OwnCloud on F-droid">available Android apps for OwnCloud</a>. To my surprise, there aren't many. I expected niche apps on Android for using niche features on marketplace. Instead, I would run into more <a href="https://search.f-droid.org/?q=nextcloud" title="Apps for NextCloud on F-droid">apps branded for NextCloud</a>. Meanwhile I updated the droplet, because updates are important, but ran into "kernel updates rendering server unbootable" kind of issues, I switched to Linode and NextCloud after strugling on Digital Ocean for a week.</p>
<p>Just like Owncloud's marketplace, NextCloud has its own "app store", I'd like to them "feature manager" instead because both marketplace and app store are used for en/disabling features on the platform. But NextCloud has niche apps for Android and I believe this provides more convenience to mobile users like myself.</p>
<hr>
<h2>NextCloud</h2>
<p>Since NextCloud is a file server in its core, it was the drop-in Google Drive &amp; Photos replacement I needed. It also has built-in <a href="https://en.wikipedia.org/wiki/WebDAV" title="Protocol for using remote file system over HTTP">WebDAV</a>, <a href="https://en.wikipedia.org/wiki/CardDAV" title="vCard (contact info) extension for WebDAV">CardDAV</a> and <a href="https://en.wikipedia.org/wiki/CalDAV" title="Calendar extension for WebDAV">CalDAV</a> support, which means I can use NextCloud as Google Contacts &amp; Calendar replacement as well and access files in native file manager as if it was a USB drive 🎉️</p>
<p>After enabling more services from feature manager (yes, I am sticking with this name) it also became my notes, tasks, bookmarks manager as well. All powered by a VM that costs 5$/month to run, +2$ for backup.</p>
<blockquote>
<p>One who loves roses should endure thorns - Turkish Proverb</p>
</blockquote>
<p>NextCloud is great. But just like every other artificial thing in this world, it isn't perfect. The biggest problem I face with it is the <strong>performance</strong> of web interface. It is written in PHP and being not compiled program is not doing any favors. Image preview loading can be called sluggish by many. Since I use mobile app most of the time which caches the previews, user experience isn't bad in my opinion.</p>
<hr>
<p><a href="https://kevq.uk" title="his blog">Kev Quirk</a> wrote a blog about his opinions and experiences with <strong title="My current choice of file server solution">NextCloud</strong> and <strong title="His choice of home server solution">Synology</strong>. This is my answer to <a href="https://kevq.uk/synology-vs-nextcloud-which-is-better-for-a-home-server/" title="Synology vs Nextcloud Which Is Better For A Home Server?">his blog</a>.</p>
<p>Synology's home server sound like a great product. I am happy for you and your family that your data is safe and accesible without giving up your privacy. After reading your blog, I wanted to try Synology as well. Upon seeing the price for <a href="https://www.newegg.com/synology-ds420/p/N82E16822108744" title="4 HDD bay NAS for home/small business use (disks not included)">Synology 420+</a> is 500$ and another 400$ for 4x <a href="https://www.newegg.com/seagate-ironwolf-st4000vn008-4tb/p/N82E16822179005" title="SeaGate NAS HDD">4TB HDD</a> for RAID 6, I believe NextCloud is the best choice I have. I am 1 student who has no movies, musics, 4K family photos or video project for YouTube channel to utilize TBs of storage not do I have budget for it. Under these requirements and constraints, I want to offer an alternative to Google to my family. Since I can't just ask for ~900$ for Synology, NextCloud on a VM is the best option I have. I still have option of increasing VM disk size or mounting external block storage as our storage needs grow.</p>
<p>It is nice that we have different perspectives on same topic. I wrote this answer because I wanted you to see from the eyes of a student living on pocket money and still afford for privacy of his and his family. May your Synology system last long and serve your family well 🙂️</p>
<hr>
<p>If you think Google services aren't that bad and I would be better off keep using Google services, <a href="https://tosdr.org/#google">here is my reasoning #1</a> and <a href="https://www.reuters.com/article/us-alphabet-google-privacy-lawsuit/google-faces-lawsuit-over-tracking-in-apps-even-when-users-opted-out-idUSKCN24F2N4" title="Google faces lawsuit over tracking in apps even when users opted out - Reuters">#2</a>. But if you still think that I should use Google services, tell me your reasoning and help me see your side of the coin. I would like to stay open minded.</p><!-- Comments -->
<hr>
<h2>Comments</h2>
<p>Toot on <a href="https://fosstodon.org/@murtezayesil/104521563799892039">this thread</a> to comment. This blog is a static site. Comments won't appear here.</p>
</article>
</aside><!-- /#featured -->
<section id="content" class="body">
<h1>Other articles</h1>
<ol id="posts-list" class="hfeed">
</footer><!-- /.post-info --> </div><!-- /.entry-content -->
</article></li>
<li><article class="hentry">
<header>

2
output/pages/about.html
View File

@ -40,7 +40,7 @@
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->

2
output/pages/contact.html
View File

@ -40,7 +40,7 @@
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->

2
output/privacy-for-the-whole-family.html
View File

@ -40,7 +40,7 @@
</nav>
<div id="submenu">
<ul>
<li class="active"><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li class="active"><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->

139
output/tag/100daystooffload.html
View File

@ -40,49 +40,126 @@
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->
<aside id="featured" class="body">
<article>
<h1 class="entry-title"><a href="https://murtezayesil.me/digital-cleansing-nextcloud.html">Digital Cleansing - NextCloud</a></h1>
<h1 class="entry-title"><a href="https://murtezayesil.me/digital-cleansing-jitsi.html">Digital Cleansing - Jitsi</a></h1>
<footer class="post-info">
<span>Sat 18 July 2020</span>
<span>| in <a href="https://murtezayesil.me/category/tech.html">tech</a></span>
<span>| tags: <a href="https://murtezayesil.me/tag/privacy.html">privacy</a><a href="https://murtezayesil.me/tag/jitsi.html">jitsi</a><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a></span> <span>| Day <strong>5</strong> of #100DaysToOffload</span>
</footer><!-- /.post-info --><p>My family is spread into 3 countries in 3 different continents. If we include my close relatives too, these numbers go even higher. It is important to stay in contact with your family and relatives in Turkish culture and we try to do that. Let it be weekend Zoom meetings (in 40 minute chunks :) or phone calls on WhatsApp (owned by Facebook), we heavily rely on third party services for communication. After launching NextCloud for my family to use, I what I wanted to tackle the <strong>Communication</strong> problem.</p>
<p>We have 3 kinds of communication needs in the family:<br>
1. Text messages<br>
2. Voice Calls<br>
3. (Mostly group) Video Calls</p>
<hr>
<h3>Text Messaging &amp; Voice Calls</h3>
<p>I have been usign Telegram wherever I can for few years. Its UI is very similar to that of WhatsApp which I hope will ease the transition for my relatives. Since it also has voice calling, I don't need to look for another service for that. I love hitting two birds with one stone (only in metaphor) 😄️ <br>
That being said, I won't actually talk much about WhatsApp. Facebook bought WhatsApp back in February 2014. I believe that was a great deal for Facebook and a terrible deal for users.<br>
I know I mentioned Telegram but there is one more great alternative to WhatsApp (or even Telegram). It is called <a href="https://signal.org/" title="Official page">Signal</a> and it is developed by a non-profit founded by Co-founder of WhatsApp, Brian Acton. It is one freaking secure messaging app 😎️</p>
<hr>
<h3>Group Video Calls</h3>
<p>My families' and relatives' current choice of Group Video Calling service is Zoom, just like millions of other people who needed a video calling service for remote work, distance education and calling their loved ones. But Zoom seemingly popped out of nowhere for many people. I wanted to learn more about who Zoom is and how trustable it is. I hope my findings will help you to make educated decisions.</p>
<p>Zoom was <a href="https://en.wikipedia.org/wiki/Zoom_(software)#History" title="History of Zoom on Wikipedia">launched in September 2012</a>, reached <a href="https://www.tmcnet.com/topics/articles/2013/05/23/339279-zoom-video-communications-reaches-1-million-participants.htm" title="Zoom Video Communications Reaches 1 Million Participants - TMCnet">1 Million user base in January 2013</a> and rapidly grow during global quarantine to a point that Zoom got <a href="https://web.archive.org/web/20200422125131/https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak" title="Zoom booms as demand for video-conferencing tech grows - The Guardian [archive]">2.13 Million downloads on March 23rd 2020</a>.</p>
<p>After some research (reading Wikipedia) I found that Zoom had many wounds that hurt many of its users. Given that Zoom reached 1 Million userbase 5 months after launching (from September 2012 to January 2013) and they were charging 9.99$/month, I expect Zoom to invest into infrastructure and app security. I am saying this because they clearly had time to fix issues in their apps before the pandemic arrived. Here are few examples to show how Zoom messed up:<br>
<strong>Windows</strong> : <a href="https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/">Attackers can use Zoom to steal users Windows credentials with no warning - ars technica</a><br>
<strong>MacOS</strong> : <a href="https://threatpost.com/zoom-zero-day-mac-webcam-hijacking/146317/">Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking - threat post</a>. This prompted Apple to use its MRT (Malware Removal Tool) to remotely delete Zoom from Mac computers.<br>
<strong>MacOS</strong> : <a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5">Zoom Zero Day: 4+ Million Webcams &amp; maybe an RCE? Just get them to visit your website! - InfoSec Write-ups</a> allowing Zoom to reinstall itself after being uninstalled and join a video call with camera activated without user's permission.<br>
<strong>MacOS</strong> : <a href="https://nitter.net/c1truz_/status/1244737672930824193">Zoom App installation uses the same method used by malwares to gain root priviledges - Twitter thread on Nitter</a><br>
<strong>iOS</strong> : <a href="https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account">Zoom iOS App Sends Data to Facebook Even if You Dont Have a Facebook Account - Vice</a><br>
<strong>Android</strong> : I didn't find any news about Zoom Android App vulnerabilities. But if they used Facebook tracker in iOS app, I don't see any reason why zoom wouldn't use the same on Android
<strong>Linux</strong> : No vulnerability was found YET. Remember that <a href="https://netmarketshare.com/operating-system-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222019-08%22%2C%22dateEnd%22%3A%222020-06%22%2C%22plotKeys%22%3A%5B%7B%22platform%22%3A%22Linux%22%7D%2C%7B%22platform%22%3A%22Mac%20OS%22%7D%2C%7B%22platform%22%3A%22Chrome%20OS%22%7D%5D%2C%22segments%22%3A%22-1000%22%7D" title="Less than 4%">Linux desktop has a small marketshare</a> and apps for it are less likely to be targeted by hackers.</p>
<blockquote>
<p>"Zoom has just had so many missteps."
- Patrick Wardle, Jamf</p>
</blockquote>
<p>You can read about Zoom's vulnerabilities on MacOS and iOS in detail in <a href="https://objective-see.com/blog/blog_0x56.html" title="The 'S' in Zoom, Stands for Security - Objective-See">this blog post of Objective-See</a>. </p>
<p>These issues were <strong>FIXED</strong> by Zoom. But Zoom took long time to responde some of the cyber security personel as if it didn't care about the user privacy and security. I only mentioned the vulnerabilities in Zoom's apps. Zoom also <a href="https://www.axios.com/zoom-closes-chinese-user-account-tiananmen-square-f218fed1-69af-4bdd-aac4-7eaf67f34084.html" title="Zoom closed account of U.S.-based Chinese activist “to comply with local law” - Axios">contributed to censorship</a> by closing human rights activist Zhou Fengsuo's paid account and closing Social activist Lee Cheuk Yan's account upon China's request.</p>
<p>👉️ Since those vulnerabilities are fixed it should be safe to use Zoom, right?<br>
Unfortunately, NO. Even if apps became less vulnerable, users still are through weak privacy practices and use of third party trackers. Zoom's Privacy Policy is <a href="https://zoom.us/privacy#_Toc44414842">not assuring enough</a>.</p>
<p>👉️ They introduced end-to-end encryption, E2EE. Is it insecure encryption?<br>
AES-256 ECB algorithm used for E2EE is one of the greatest encryption algorithms out there. But it isn't enabled by default and enabling E2EE disables many features such as screensharing, which doesn't incentivise people to use E2EE. Both enterprise customers and teachers would want to use screensharing, thus not using E2EE.</p>
<p>👉️ They say Zoom encrypts every meeting by default. Are they lying?<br>
No, they are not. But they aren't telling the whole story either. When you start a Zoom meeting, your device establishes a connection to Zoom over <a href="https://en.wikipedia.org/wiki/Https#Security">HTTPS</a>. Meaning data is encrypted during transmission between you and Zoom. Data gets decrypted in Zoom and encrypted again before it goes to whoever you are meeting with. This is done because everybody in the meeting has different <a href="https://en.wikipedia.org/wiki/Session_key">session key</a> for encryption. Your meeting is apparent to Zoom, not hidden from it.</p>
<p>👉️ Zoom has faced <a href="https://en.wikipedia.org/wiki/Zero-day_(computing)" title="Learn about zero day attacks on Wikipedia">0-day attacks</a> which weren't fair.<br>
Not a question but I get your point. When a cyber security personal discovers a vulnerability, (s)he informs the vendor about the vulnerability in disguise and asks for bounty. Vendor checks if that is a legit vulnerability or a scam. Then they work together to fix the issue and vendor pays the bounty. Many companies have a <a href="https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html" title="Intel offers upto 100,000$">bug</a> <a href="https://hackerone.com/verizonmedia?type=team" title="Verizon offers upto 15,000$">bounty</a> <a href="https://www.microsoft.com/en-us/msrc/bounty" title="Microsoft offers upto 100,000$">program</a>.<br>
A cyber security personal may choose to release the vulnerability to public for it to be exploited by other people, which turns a vulnerability into zero day attack. This action incentivises vendor to fix that issue immediately since issue became well-known.<br>
Zoom had time since 2013 for testing its softwares properly. Proper testing would uncover those bugs before hackers did. Any company that is careless about security and privacy of its customers' deserves to be pinched to start acting.</p>
<p>What if I am forced to Zoom by my employer/school/family?<br>
Desktop/laptop users:<br>
1. Windows: Use virtual machine and apply one of the below Linux methods<br>
2. MacOS: Use virtual machine and apply one of the below Linux methods<br>
3. Linux: Install Linux Live image on a USB and boot into it everytime you need to Zoom. Install Zoom into that Live environment. Zoom will only be able to access what is in that Live environment. Shutting down a Live environment deletes everything that was installed in that session.<br>
4. Linux: <a href="https://ar.al/2020/06/25/how-to-use-the-zoom-malware-safely-on-linux-if-you-absolutely-have-to/" title="How to use the Zoom malware safely on Linux if you absolutely have to - Aral Balkan">Install Zoom into a firejail</a>, greatly limiting what it can reach.<br>
Mobile users:<br>
1. Android: <a href="https://www.howtogeek.com/333484/how-to-set-up-multiple-user-profiles-on-android/" title="This process maybe different for different brands">Create a restricted user</a> on your phone and install Zoom there. Not in your main user.
2. Android: If you can, use Zoom on Linux as described above.
3. iOS: Don't give it permissions if you don't need them. Don't let it run in background. Uninstall after using.
4. iOS: If you can, use Zoom on Linux as described above.</p>
<p>PS: I don't own a Mac, iPhone or Windows PC. But since Zoom on those platforms seem to be the affected most, I recommend everybody to use Zoom on Linux in a firejail if you absolutely have to.</p>
<p>I also wanted to read articles <a href="https://medium.com/@rowantrollope/beyond-the-noise-7-reasons-its-safe-to-run-zoom-9a2e639b13ec">that</a> <a href="https://blog.prialto.com/3-reasons-why-zoom-provides-the-best-video-conferencing-software">defend</a> <a href="https://www.forbes.com/sites/rebeccabellan/2020/03/24/what-you-need-to-know-about-using-zoom/#3cee9d0d3284">Zoom</a>. But they are mostly talking about Zoom's E2EE feature (that is not default), how people got creative with Virtual Background feature, Zoom's clean UI, ability to fake paying attention and its price. They either say nothing about Zooms privacy policy or even if they say something, it is not assuring in my opinion.</p>
<hr>
<h1>Jitsi</h1>
<p>Jitsi is an open source alternative to Video Calling (Conferencing) services. I will prove that Jitsi is much better than Zoom with only 1 sentence.</p>
<h1 style="text-align: center;">You can host Jitsi on your own server without relying on another entity</h1>
<p>You want more?</p>
<ol>
<li>Jitsi has Clean UI that is familiar to that of Zoom. </li>
<li>Jitsi <strong>doesn't</strong> have looping video feature which helps students or emplyees fake paying attention. </li>
<li>Jitsi is <strong title="Free Open Source Software">FOSS</strong> developed by <a href="https://8x8.com">8x8</a>. </li>
<li>
<p>Hosting Jitsi doesn't require a server with powerful CPU or GPU. Important resource is bandwidth. </p>
</li>
<li>
<p>Jitsi doesn't have virtual background but it instead has background blurring in development.</p>
</li>
</ol>
<p>👉️ Is it truely E2EE?<br>
<strong>This is what I understood from reading <a href="https://github.com/jitsi/jitsi-meet/issues/409#issuecomment-260652107">this threat</a>. Please correct me if I am wrong</strong><br>
Short answer is No.<br>
Long answer is: Just like in Zoom's case, connection between users and Jitsi VideoBridge (server) is encrypted. Server decrypts and encrypts everybody's stream for everybody else. But by having the control of Jitsi VideoBridge (server) by hosting it on your own server, you can assure that no other company/organization is holding your plain data except the recepient you are meeting with.<br>
That being said, Jitsi can establish P2P connection in rooms where there are only 2 people. This is a feature of WebRTC that Jitsi is built upon. It still <strong>isn't</strong> true E2EE.</p>
<p>👉️ Do anyone even use it?<br>
Glad you ask. Many companies banned use of Zoom and switched to alternatives such as Microsoft Teams, Skype, Hangout Meet and Jitsi. You probably won't see Jitsi's UI very often in the wild, but many companies use Jitsi VideoBridge as their backend for video conferences. Out of all the alternatives, only Jitsi allows self-hosting of server (Jitsi VideoBridge) AFAIK.</p>
<h2>How to install Jitsi server?</h2>
<p>I followed <strong>Nerd on the Street</strong>'s <a href="https://invidio.us/watch?v=IQRwtUamHQU">Host a Jitsi Meet Server</a> installation tutorial. It took about 30 minute of my time (I am a noob) to get the server running. It takes another 10 minutes to secure it.</p>
<hr>
<p>When I started this blog post, I expected to list 2 reasons not to use WhatsApp and Zoom then start talking about why Jitsi is the answer to my family's Group Video Calling needs. To fact check what I knew about about them (Zoom in particular) I searched them on <a href="https://en.wikipedia.org/wiki/Zoom_(software)" title="Read more about Zoom on WikiPedia">Wikipedia</a>. I learned much more than I expected. I am sorry for turning this post into "Rant of Zoom". I hope you learned a thing or two too.</p>
<hr>
<h3>Other side of the coin</h3>
<p>If you think I would be better of sticking to WhatsApp or Zoom, tell me more. Even though I read many negative things about Zoom, I will try my best to keep an open mind and hear people seeing other side of the coin. I am a human and can make mistakes. If there is something important I should know to better understand what is going on, please reply to comment toot linked below.</p><!-- Comments -->
<hr>
<h2>Comments</h2>
<p>Toot on <a href="https://fosstodon.org/@murtezayesil/104535970036319662">this thread</a> to comment. This blog is a static site. Comments won't appear here.</p>
</article>
</aside><!-- /#featured -->
<section id="content" class="body">
<h1>Other articles</h1>
<ol id="posts-list" class="hfeed">
<li><article class="hentry">
<header>
<h1><a href="https://murtezayesil.me/digital-cleansing-nextcloud.html" rel="bookmark"
title="Permalink to Digital Cleansing - NextCloud">Digital Cleansing - NextCloud</a></h1>
</header>
<div class="entry-content">
<footer class="post-info">
<span>Thu 16 July 2020</span>
<span>| in <a href="https://murtezayesil.me/category/tech.html">Tech</a></span>
<span>| tags: <a href="https://murtezayesil.me/tag/privacy.html">privacy</a><a href="https://murtezayesil.me/tag/nextcloud.html">nextcloud</a><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a></span> <span>| Day <strong>4</strong> of #100DaysToOffload</span>
</footer><!-- /.post-info --><p>This article reflects my opinions and experiences with few file server services.</p>
<p>TL;DR : I think NextCloud is a far superior product for the price.</p>
<p>Digital cleansing is about reowning personal data and regaining control over how it is processed. When I started digital cleansing, I wanted to start from where the most of my data is stored. There are 2 such services, Google Drive and Photos. I started by looking for <a href="https://alternativeto.net/software/google-drive/">alternatives</a>. OwnCloud and NextCloud seemed like <strong>affordable</strong> and <strong title="Free Open Source Software">FOSS</strong> alternatives that allow <strong title="Can be hosted on personal (or home) computer/server without relying on another service provider">self-hosting</strong>.</p>
<hr>
<h2>Owncloud</h2>
<p>I started my journey by renting a VM on Digital Ocean, droplet. I installed <a href="https://en.wikipedia.org/wiki/LAMP_(software_bundle)" title="Minimum set of softwares needed for a working web service">LAMP stack</a> and <a href="https://en.wikipedia.org/wiki/OwnCloud" title="File server service">OwnCloud</a>. As a new comer to OwnCloud, I started to click every button in every menu to discover and learn more about OwnCloud. <a href="https://marketplace.owncloud.com/">Marketplace</a>, a feature manager to add/remove more features, has many stuff that can appeal to enterprises and teams working from home. Next, I browsed the <a href="https://search.f-droid.org/?q=owncloud" title="Apps for OwnCloud on F-droid">available Android apps for OwnCloud</a>. To my surprise, there aren't many. I expected niche apps on Android for using niche features on marketplace. Instead, I would run into more <a href="https://search.f-droid.org/?q=nextcloud" title="Apps for NextCloud on F-droid">apps branded for NextCloud</a>. Meanwhile I updated the droplet, because updates are important, but ran into "kernel updates rendering server unbootable" kind of issues, I switched to Linode and NextCloud after strugling on Digital Ocean for a week.</p>
<p>Just like Owncloud's marketplace, NextCloud has its own "app store", I'd like to them "feature manager" instead because both marketplace and app store are used for en/disabling features on the platform. But NextCloud has niche apps for Android and I believe this provides more convenience to mobile users like myself.</p>
<hr>
<h2>NextCloud</h2>
<p>Since NextCloud is a file server in its core, it was the drop-in Google Drive &amp; Photos replacement I needed. It also has built-in <a href="https://en.wikipedia.org/wiki/WebDAV" title="Protocol for using remote file system over HTTP">WebDAV</a>, <a href="https://en.wikipedia.org/wiki/CardDAV" title="vCard (contact info) extension for WebDAV">CardDAV</a> and <a href="https://en.wikipedia.org/wiki/CalDAV" title="Calendar extension for WebDAV">CalDAV</a> support, which means I can use NextCloud as Google Contacts &amp; Calendar replacement as well and access files in native file manager as if it was a USB drive 🎉️</p>
<p>After enabling more services from feature manager (yes, I am sticking with this name) it also became my notes, tasks, bookmarks manager as well. All powered by a VM that costs 5$/month to run, +2$ for backup.</p>
<blockquote>
<p>One who loves roses should endure thorns - Turkish Proverb</p>
</blockquote>
<p>NextCloud is great. But just like every other artificial thing in this world, it isn't perfect. The biggest problem I face with it is the <strong>performance</strong> of web interface. It is written in PHP and being not compiled program is not doing any favors. Image preview loading can be called sluggish by many. Since I use mobile app most of the time which caches the previews, user experience isn't bad in my opinion.</p>
<hr>
<p><a href="https://kevq.uk" title="his blog">Kev Quirk</a> wrote a blog about his opinions and experiences with <strong title="My current choice of file server solution">NextCloud</strong> and <strong title="His choice of home server solution">Synology</strong>. This is my answer to <a href="https://kevq.uk/synology-vs-nextcloud-which-is-better-for-a-home-server/" title="Synology vs Nextcloud Which Is Better For A Home Server?">his blog</a>.</p>
<p>Synology's home server sound like a great product. I am happy for you and your family that your data is safe and accesible without giving up your privacy. After reading your blog, I wanted to try Synology as well. Upon seeing the price for <a href="https://www.newegg.com/synology-ds420/p/N82E16822108744" title="4 HDD bay NAS for home/small business use (disks not included)">Synology 420+</a> is 500$ and another 400$ for 4x <a href="https://www.newegg.com/seagate-ironwolf-st4000vn008-4tb/p/N82E16822179005" title="SeaGate NAS HDD">4TB HDD</a> for RAID 6, I believe NextCloud is the best choice I have. I am 1 student who has no movies, musics, 4K family photos or video project for YouTube channel to utilize TBs of storage not do I have budget for it. Under these requirements and constraints, I want to offer an alternative to Google to my family. Since I can't just ask for ~900$ for Synology, NextCloud on a VM is the best option I have. I still have option of increasing VM disk size or mounting external block storage as our storage needs grow.</p>
<p>It is nice that we have different perspectives on same topic. I wrote this answer because I wanted you to see from the eyes of a student living on pocket money and still afford for privacy of his and his family. May your Synology system last long and serve your family well 🙂️</p>
<hr>
<p>If you think Google services aren't that bad and I would be better off keep using Google services, <a href="https://tosdr.org/#google">here is my reasoning #1</a> and <a href="https://www.reuters.com/article/us-alphabet-google-privacy-lawsuit/google-faces-lawsuit-over-tracking-in-apps-even-when-users-opted-out-idUSKCN24F2N4" title="Google faces lawsuit over tracking in apps even when users opted out - Reuters">#2</a>. But if you still think that I should use Google services, tell me your reasoning and help me see your side of the coin. I would like to stay open minded.</p><!-- Comments -->
<hr>
<h2>Comments</h2>
<p>Toot on <a href="https://fosstodon.org/@murtezayesil/104521563799892039">this thread</a> to comment. This blog is a static site. Comments won't appear here.</p>
</article>
</aside><!-- /#featured -->
<section id="content" class="body">
<h1>Other articles</h1>
<ol id="posts-list" class="hfeed">
</footer><!-- /.post-info --> </div><!-- /.entry-content -->
</article></li>
<li><article class="hentry">
<header>

174
output/tag/jitsi.html Normal file
View File

@ -0,0 +1,174 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Ali Murteza Yesil - jitsi</title>
<link rel="stylesheet" href="https://murtezayesil.me/theme/css/main.css" />
<link href="https://murtezayesil.me/feeds/atom.xml" type="application/atom+xml" rel="alternate" title="Ali Murteza Yesil Atom Feed" />
<link href="https://murtezayesil.me/feeds/rss.xml" type="application/rss+xml" rel="alternate" title="Ali Murteza Yesil RSS Feed" />
<!-- This border added via BLACK_LIVES_MATTER toggle in site settings -->
<style>
body {
border-width: 5em ;
border-color: #000000 ;
border-style: none solid solid solid ; /* top border : none, right bottom left : solid */
}
</style>
<!--[if IE]>
<script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
</head>
<body id="index" class="home">
<!-- This banner added via BLACK_LIVES_MATTER toggle in site settings -->
<div style="background-color: black; padding: 1em; margin-bottom: .8em">
<h1 style="text-align: center; margin-bottom: 0em"><a href="https://blacklivesmatter.com/" style="color: #fce21b; font-size: 2em">Black Lives Matter</a></h1>
</div>
<header id="banner" class="body">
<h1><a href="https://murtezayesil.me/">Ali Murteza Yesil <strong>Blog</strong></a></h1>
<nav><ul>
<li><a href="https://murtezayesil.me/pages/about.html">About</a></li>
<li><a href="https://murtezayesil.me/pages/contact.html">Contact</a></li>
</ul>
<form id="search" action"#" onsubmit="javascript:window.open('https://duckduckgo.com/?q='+document.getElementById('keywords').value+'+site:https://murtezayesil.me');">
<input id="keywords" type="text" />
</form>
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->
<aside id="featured" class="body">
<article>
<h1 class="entry-title"><a href="https://murtezayesil.me/digital-cleansing-jitsi.html">Digital Cleansing - Jitsi</a></h1>
<footer class="post-info">
<span>Sat 18 July 2020</span>
<span>| in <a href="https://murtezayesil.me/category/tech.html">tech</a></span>
<span>| tags: <a href="https://murtezayesil.me/tag/privacy.html">privacy</a><a href="https://murtezayesil.me/tag/jitsi.html">jitsi</a><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a></span> <span>| Day <strong>5</strong> of #100DaysToOffload</span>
</footer><!-- /.post-info --><p>My family is spread into 3 countries in 3 different continents. If we include my close relatives too, these numbers go even higher. It is important to stay in contact with your family and relatives in Turkish culture and we try to do that. Let it be weekend Zoom meetings (in 40 minute chunks :) or phone calls on WhatsApp (owned by Facebook), we heavily rely on third party services for communication. After launching NextCloud for my family to use, I what I wanted to tackle the <strong>Communication</strong> problem.</p>
<p>We have 3 kinds of communication needs in the family:<br>
1. Text messages<br>
2. Voice Calls<br>
3. (Mostly group) Video Calls</p>
<hr>
<h3>Text Messaging &amp; Voice Calls</h3>
<p>I have been usign Telegram wherever I can for few years. Its UI is very similar to that of WhatsApp which I hope will ease the transition for my relatives. Since it also has voice calling, I don't need to look for another service for that. I love hitting two birds with one stone (only in metaphor) 😄️ <br>
That being said, I won't actually talk much about WhatsApp. Facebook bought WhatsApp back in February 2014. I believe that was a great deal for Facebook and a terrible deal for users.<br>
I know I mentioned Telegram but there is one more great alternative to WhatsApp (or even Telegram). It is called <a href="https://signal.org/" title="Official page">Signal</a> and it is developed by a non-profit founded by Co-founder of WhatsApp, Brian Acton. It is one freaking secure messaging app 😎️</p>
<hr>
<h3>Group Video Calls</h3>
<p>My families' and relatives' current choice of Group Video Calling service is Zoom, just like millions of other people who needed a video calling service for remote work, distance education and calling their loved ones. But Zoom seemingly popped out of nowhere for many people. I wanted to learn more about who Zoom is and how trustable it is. I hope my findings will help you to make educated decisions.</p>
<p>Zoom was <a href="https://en.wikipedia.org/wiki/Zoom_(software)#History" title="History of Zoom on Wikipedia">launched in September 2012</a>, reached <a href="https://www.tmcnet.com/topics/articles/2013/05/23/339279-zoom-video-communications-reaches-1-million-participants.htm" title="Zoom Video Communications Reaches 1 Million Participants - TMCnet">1 Million user base in January 2013</a> and rapidly grow during global quarantine to a point that Zoom got <a href="https://web.archive.org/web/20200422125131/https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak" title="Zoom booms as demand for video-conferencing tech grows - The Guardian [archive]">2.13 Million downloads on March 23rd 2020</a>.</p>
<p>After some research (reading Wikipedia) I found that Zoom had many wounds that hurt many of its users. Given that Zoom reached 1 Million userbase 5 months after launching (from September 2012 to January 2013) and they were charging 9.99$/month, I expect Zoom to invest into infrastructure and app security. I am saying this because they clearly had time to fix issues in their apps before the pandemic arrived. Here are few examples to show how Zoom messed up:<br>
<strong>Windows</strong> : <a href="https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/">Attackers can use Zoom to steal users Windows credentials with no warning - ars technica</a><br>
<strong>MacOS</strong> : <a href="https://threatpost.com/zoom-zero-day-mac-webcam-hijacking/146317/">Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking - threat post</a>. This prompted Apple to use its MRT (Malware Removal Tool) to remotely delete Zoom from Mac computers.<br>
<strong>MacOS</strong> : <a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5">Zoom Zero Day: 4+ Million Webcams &amp; maybe an RCE? Just get them to visit your website! - InfoSec Write-ups</a> allowing Zoom to reinstall itself after being uninstalled and join a video call with camera activated without user's permission.<br>
<strong>MacOS</strong> : <a href="https://nitter.net/c1truz_/status/1244737672930824193">Zoom App installation uses the same method used by malwares to gain root priviledges - Twitter thread on Nitter</a><br>
<strong>iOS</strong> : <a href="https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account">Zoom iOS App Sends Data to Facebook Even if You Dont Have a Facebook Account - Vice</a><br>
<strong>Android</strong> : I didn't find any news about Zoom Android App vulnerabilities. But if they used Facebook tracker in iOS app, I don't see any reason why zoom wouldn't use the same on Android
<strong>Linux</strong> : No vulnerability was found YET. Remember that <a href="https://netmarketshare.com/operating-system-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222019-08%22%2C%22dateEnd%22%3A%222020-06%22%2C%22plotKeys%22%3A%5B%7B%22platform%22%3A%22Linux%22%7D%2C%7B%22platform%22%3A%22Mac%20OS%22%7D%2C%7B%22platform%22%3A%22Chrome%20OS%22%7D%5D%2C%22segments%22%3A%22-1000%22%7D" title="Less than 4%">Linux desktop has a small marketshare</a> and apps for it are less likely to be targeted by hackers.</p>
<blockquote>
<p>"Zoom has just had so many missteps."
- Patrick Wardle, Jamf</p>
</blockquote>
<p>You can read about Zoom's vulnerabilities on MacOS and iOS in detail in <a href="https://objective-see.com/blog/blog_0x56.html" title="The 'S' in Zoom, Stands for Security - Objective-See">this blog post of Objective-See</a>. </p>
<p>These issues were <strong>FIXED</strong> by Zoom. But Zoom took long time to responde some of the cyber security personel as if it didn't care about the user privacy and security. I only mentioned the vulnerabilities in Zoom's apps. Zoom also <a href="https://www.axios.com/zoom-closes-chinese-user-account-tiananmen-square-f218fed1-69af-4bdd-aac4-7eaf67f34084.html" title="Zoom closed account of U.S.-based Chinese activist “to comply with local law” - Axios">contributed to censorship</a> by closing human rights activist Zhou Fengsuo's paid account and closing Social activist Lee Cheuk Yan's account upon China's request.</p>
<p>👉️ Since those vulnerabilities are fixed it should be safe to use Zoom, right?<br>
Unfortunately, NO. Even if apps became less vulnerable, users still are through weak privacy practices and use of third party trackers. Zoom's Privacy Policy is <a href="https://zoom.us/privacy#_Toc44414842">not assuring enough</a>.</p>
<p>👉️ They introduced end-to-end encryption, E2EE. Is it insecure encryption?<br>
AES-256 ECB algorithm used for E2EE is one of the greatest encryption algorithms out there. But it isn't enabled by default and enabling E2EE disables many features such as screensharing, which doesn't incentivise people to use E2EE. Both enterprise customers and teachers would want to use screensharing, thus not using E2EE.</p>
<p>👉️ They say Zoom encrypts every meeting by default. Are they lying?<br>
No, they are not. But they aren't telling the whole story either. When you start a Zoom meeting, your device establishes a connection to Zoom over <a href="https://en.wikipedia.org/wiki/Https#Security">HTTPS</a>. Meaning data is encrypted during transmission between you and Zoom. Data gets decrypted in Zoom and encrypted again before it goes to whoever you are meeting with. This is done because everybody in the meeting has different <a href="https://en.wikipedia.org/wiki/Session_key">session key</a> for encryption. Your meeting is apparent to Zoom, not hidden from it.</p>
<p>👉️ Zoom has faced <a href="https://en.wikipedia.org/wiki/Zero-day_(computing)" title="Learn about zero day attacks on Wikipedia">0-day attacks</a> which weren't fair.<br>
Not a question but I get your point. When a cyber security personal discovers a vulnerability, (s)he informs the vendor about the vulnerability in disguise and asks for bounty. Vendor checks if that is a legit vulnerability or a scam. Then they work together to fix the issue and vendor pays the bounty. Many companies have a <a href="https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html" title="Intel offers upto 100,000$">bug</a> <a href="https://hackerone.com/verizonmedia?type=team" title="Verizon offers upto 15,000$">bounty</a> <a href="https://www.microsoft.com/en-us/msrc/bounty" title="Microsoft offers upto 100,000$">program</a>.<br>
A cyber security personal may choose to release the vulnerability to public for it to be exploited by other people, which turns a vulnerability into zero day attack. This action incentivises vendor to fix that issue immediately since issue became well-known.<br>
Zoom had time since 2013 for testing its softwares properly. Proper testing would uncover those bugs before hackers did. Any company that is careless about security and privacy of its customers' deserves to be pinched to start acting.</p>
<p>What if I am forced to Zoom by my employer/school/family?<br>
Desktop/laptop users:<br>
1. Windows: Use virtual machine and apply one of the below Linux methods<br>
2. MacOS: Use virtual machine and apply one of the below Linux methods<br>
3. Linux: Install Linux Live image on a USB and boot into it everytime you need to Zoom. Install Zoom into that Live environment. Zoom will only be able to access what is in that Live environment. Shutting down a Live environment deletes everything that was installed in that session.<br>
4. Linux: <a href="https://ar.al/2020/06/25/how-to-use-the-zoom-malware-safely-on-linux-if-you-absolutely-have-to/" title="How to use the Zoom malware safely on Linux if you absolutely have to - Aral Balkan">Install Zoom into a firejail</a>, greatly limiting what it can reach.<br>
Mobile users:<br>
1. Android: <a href="https://www.howtogeek.com/333484/how-to-set-up-multiple-user-profiles-on-android/" title="This process maybe different for different brands">Create a restricted user</a> on your phone and install Zoom there. Not in your main user.
2. Android: If you can, use Zoom on Linux as described above.
3. iOS: Don't give it permissions if you don't need them. Don't let it run in background. Uninstall after using.
4. iOS: If you can, use Zoom on Linux as described above.</p>
<p>PS: I don't own a Mac, iPhone or Windows PC. But since Zoom on those platforms seem to be the affected most, I recommend everybody to use Zoom on Linux in a firejail if you absolutely have to.</p>
<p>I also wanted to read articles <a href="https://medium.com/@rowantrollope/beyond-the-noise-7-reasons-its-safe-to-run-zoom-9a2e639b13ec">that</a> <a href="https://blog.prialto.com/3-reasons-why-zoom-provides-the-best-video-conferencing-software">defend</a> <a href="https://www.forbes.com/sites/rebeccabellan/2020/03/24/what-you-need-to-know-about-using-zoom/#3cee9d0d3284">Zoom</a>. But they are mostly talking about Zoom's E2EE feature (that is not default), how people got creative with Virtual Background feature, Zoom's clean UI, ability to fake paying attention and its price. They either say nothing about Zooms privacy policy or even if they say something, it is not assuring in my opinion.</p>
<hr>
<h1>Jitsi</h1>
<p>Jitsi is an open source alternative to Video Calling (Conferencing) services. I will prove that Jitsi is much better than Zoom with only 1 sentence.</p>
<h1 style="text-align: center;">You can host Jitsi on your own server without relying on another entity</h1>
<p>You want more?</p>
<ol>
<li>Jitsi has Clean UI that is familiar to that of Zoom. </li>
<li>Jitsi <strong>doesn't</strong> have looping video feature which helps students or emplyees fake paying attention. </li>
<li>Jitsi is <strong title="Free Open Source Software">FOSS</strong> developed by <a href="https://8x8.com">8x8</a>. </li>
<li>
<p>Hosting Jitsi doesn't require a server with powerful CPU or GPU. Important resource is bandwidth. </p>
</li>
<li>
<p>Jitsi doesn't have virtual background but it instead has background blurring in development.</p>
</li>
</ol>
<p>👉️ Is it truely E2EE?<br>
<strong>This is what I understood from reading <a href="https://github.com/jitsi/jitsi-meet/issues/409#issuecomment-260652107">this threat</a>. Please correct me if I am wrong</strong><br>
Short answer is No.<br>
Long answer is: Just like in Zoom's case, connection between users and Jitsi VideoBridge (server) is encrypted. Server decrypts and encrypts everybody's stream for everybody else. But by having the control of Jitsi VideoBridge (server) by hosting it on your own server, you can assure that no other company/organization is holding your plain data except the recepient you are meeting with.<br>
That being said, Jitsi can establish P2P connection in rooms where there are only 2 people. This is a feature of WebRTC that Jitsi is built upon. It still <strong>isn't</strong> true E2EE.</p>
<p>👉️ Do anyone even use it?<br>
Glad you ask. Many companies banned use of Zoom and switched to alternatives such as Microsoft Teams, Skype, Hangout Meet and Jitsi. You probably won't see Jitsi's UI very often in the wild, but many companies use Jitsi VideoBridge as their backend for video conferences. Out of all the alternatives, only Jitsi allows self-hosting of server (Jitsi VideoBridge) AFAIK.</p>
<h2>How to install Jitsi server?</h2>
<p>I followed <strong>Nerd on the Street</strong>'s <a href="https://invidio.us/watch?v=IQRwtUamHQU">Host a Jitsi Meet Server</a> installation tutorial. It took about 30 minute of my time (I am a noob) to get the server running. It takes another 10 minutes to secure it.</p>
<hr>
<p>When I started this blog post, I expected to list 2 reasons not to use WhatsApp and Zoom then start talking about why Jitsi is the answer to my family's Group Video Calling needs. To fact check what I knew about about them (Zoom in particular) I searched them on <a href="https://en.wikipedia.org/wiki/Zoom_(software)" title="Read more about Zoom on WikiPedia">Wikipedia</a>. I learned much more than I expected. I am sorry for turning this post into "Rant of Zoom". I hope you learned a thing or two too.</p>
<hr>
<h3>Other side of the coin</h3>
<p>If you think I would be better of sticking to WhatsApp or Zoom, tell me more. Even though I read many negative things about Zoom, I will try my best to keep an open mind and hear people seeing other side of the coin. I am a human and can make mistakes. If there is something important I should know to better understand what is going on, please reply to comment toot linked below.</p><!-- Comments -->
<hr>
<h2>Comments</h2>
<p>Toot on <a href="https://fosstodon.org/@murtezayesil/104535970036319662">this thread</a> to comment. This blog is a static site. Comments won't appear here.</p>
</article>
<p class="paginator">
Page 1 / 1
</p>
</aside><!-- /#featured -->
</ol><!-- /#posts-list -->
</section><!-- /#content -->
<section id="extras" class="body">
<div class="blogroll">
<h2>blogroll</h2>
<ul>
<li><a href="https://kevq.uk">Kev Quirk</a></li>
<li><a href="https://mikestone.me">Mike Stone</a></li>
<li><a href="https://yarmo.eu/">Yarmo Mackenbach</a></li>
</ul>
</div><!-- /.blogroll -->
<div class="social">
<h2>social</h2>
<ul>
<li><a href="https://murtezayesil.me/feeds/atom.xml" type="application/atom+xml" rel="alternate">atom feed</a></li>
<li><a href="https://murtezayesil.me/feeds/rss.xml" type="application/rss+xml" rel="alternate">rss feed</a></li>
<li><a href="https://fosstodon.org/@murtezayesil">Fostodon</a></li>
</ul>
</div><!-- /.social -->
</section><!-- /#extras -->
<footer id="contentinfo" class="body">
<p>Powered by <a href="http://getpelican.com/">Pelican</a>. Theme <a href="https://github.com/blueicefield/pelican-blueidea/">blueidea</a>, inspired by the default theme.</p>
</footer><!-- /#contentinfo -->
</body>
</html>

2
output/tag/nextcloud.html
View File

@ -40,7 +40,7 @@
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->

139
output/tag/privacy.html
View File

@ -40,49 +40,126 @@
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->
<aside id="featured" class="body">
<article>
<h1 class="entry-title"><a href="https://murtezayesil.me/digital-cleansing-nextcloud.html">Digital Cleansing - NextCloud</a></h1>
<h1 class="entry-title"><a href="https://murtezayesil.me/digital-cleansing-jitsi.html">Digital Cleansing - Jitsi</a></h1>
<footer class="post-info">
<span>Sat 18 July 2020</span>
<span>| in <a href="https://murtezayesil.me/category/tech.html">tech</a></span>
<span>| tags: <a href="https://murtezayesil.me/tag/privacy.html">privacy</a><a href="https://murtezayesil.me/tag/jitsi.html">jitsi</a><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a></span> <span>| Day <strong>5</strong> of #100DaysToOffload</span>
</footer><!-- /.post-info --><p>My family is spread into 3 countries in 3 different continents. If we include my close relatives too, these numbers go even higher. It is important to stay in contact with your family and relatives in Turkish culture and we try to do that. Let it be weekend Zoom meetings (in 40 minute chunks :) or phone calls on WhatsApp (owned by Facebook), we heavily rely on third party services for communication. After launching NextCloud for my family to use, I what I wanted to tackle the <strong>Communication</strong> problem.</p>
<p>We have 3 kinds of communication needs in the family:<br>
1. Text messages<br>
2. Voice Calls<br>
3. (Mostly group) Video Calls</p>
<hr>
<h3>Text Messaging &amp; Voice Calls</h3>
<p>I have been usign Telegram wherever I can for few years. Its UI is very similar to that of WhatsApp which I hope will ease the transition for my relatives. Since it also has voice calling, I don't need to look for another service for that. I love hitting two birds with one stone (only in metaphor) 😄️ <br>
That being said, I won't actually talk much about WhatsApp. Facebook bought WhatsApp back in February 2014. I believe that was a great deal for Facebook and a terrible deal for users.<br>
I know I mentioned Telegram but there is one more great alternative to WhatsApp (or even Telegram). It is called <a href="https://signal.org/" title="Official page">Signal</a> and it is developed by a non-profit founded by Co-founder of WhatsApp, Brian Acton. It is one freaking secure messaging app 😎️</p>
<hr>
<h3>Group Video Calls</h3>
<p>My families' and relatives' current choice of Group Video Calling service is Zoom, just like millions of other people who needed a video calling service for remote work, distance education and calling their loved ones. But Zoom seemingly popped out of nowhere for many people. I wanted to learn more about who Zoom is and how trustable it is. I hope my findings will help you to make educated decisions.</p>
<p>Zoom was <a href="https://en.wikipedia.org/wiki/Zoom_(software)#History" title="History of Zoom on Wikipedia">launched in September 2012</a>, reached <a href="https://www.tmcnet.com/topics/articles/2013/05/23/339279-zoom-video-communications-reaches-1-million-participants.htm" title="Zoom Video Communications Reaches 1 Million Participants - TMCnet">1 Million user base in January 2013</a> and rapidly grow during global quarantine to a point that Zoom got <a href="https://web.archive.org/web/20200422125131/https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak" title="Zoom booms as demand for video-conferencing tech grows - The Guardian [archive]">2.13 Million downloads on March 23rd 2020</a>.</p>
<p>After some research (reading Wikipedia) I found that Zoom had many wounds that hurt many of its users. Given that Zoom reached 1 Million userbase 5 months after launching (from September 2012 to January 2013) and they were charging 9.99$/month, I expect Zoom to invest into infrastructure and app security. I am saying this because they clearly had time to fix issues in their apps before the pandemic arrived. Here are few examples to show how Zoom messed up:<br>
<strong>Windows</strong> : <a href="https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/">Attackers can use Zoom to steal users Windows credentials with no warning - ars technica</a><br>
<strong>MacOS</strong> : <a href="https://threatpost.com/zoom-zero-day-mac-webcam-hijacking/146317/">Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking - threat post</a>. This prompted Apple to use its MRT (Malware Removal Tool) to remotely delete Zoom from Mac computers.<br>
<strong>MacOS</strong> : <a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5">Zoom Zero Day: 4+ Million Webcams &amp; maybe an RCE? Just get them to visit your website! - InfoSec Write-ups</a> allowing Zoom to reinstall itself after being uninstalled and join a video call with camera activated without user's permission.<br>
<strong>MacOS</strong> : <a href="https://nitter.net/c1truz_/status/1244737672930824193">Zoom App installation uses the same method used by malwares to gain root priviledges - Twitter thread on Nitter</a><br>
<strong>iOS</strong> : <a href="https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account">Zoom iOS App Sends Data to Facebook Even if You Dont Have a Facebook Account - Vice</a><br>
<strong>Android</strong> : I didn't find any news about Zoom Android App vulnerabilities. But if they used Facebook tracker in iOS app, I don't see any reason why zoom wouldn't use the same on Android
<strong>Linux</strong> : No vulnerability was found YET. Remember that <a href="https://netmarketshare.com/operating-system-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222019-08%22%2C%22dateEnd%22%3A%222020-06%22%2C%22plotKeys%22%3A%5B%7B%22platform%22%3A%22Linux%22%7D%2C%7B%22platform%22%3A%22Mac%20OS%22%7D%2C%7B%22platform%22%3A%22Chrome%20OS%22%7D%5D%2C%22segments%22%3A%22-1000%22%7D" title="Less than 4%">Linux desktop has a small marketshare</a> and apps for it are less likely to be targeted by hackers.</p>
<blockquote>
<p>"Zoom has just had so many missteps."
- Patrick Wardle, Jamf</p>
</blockquote>
<p>You can read about Zoom's vulnerabilities on MacOS and iOS in detail in <a href="https://objective-see.com/blog/blog_0x56.html" title="The 'S' in Zoom, Stands for Security - Objective-See">this blog post of Objective-See</a>. </p>
<p>These issues were <strong>FIXED</strong> by Zoom. But Zoom took long time to responde some of the cyber security personel as if it didn't care about the user privacy and security. I only mentioned the vulnerabilities in Zoom's apps. Zoom also <a href="https://www.axios.com/zoom-closes-chinese-user-account-tiananmen-square-f218fed1-69af-4bdd-aac4-7eaf67f34084.html" title="Zoom closed account of U.S.-based Chinese activist “to comply with local law” - Axios">contributed to censorship</a> by closing human rights activist Zhou Fengsuo's paid account and closing Social activist Lee Cheuk Yan's account upon China's request.</p>
<p>👉️ Since those vulnerabilities are fixed it should be safe to use Zoom, right?<br>
Unfortunately, NO. Even if apps became less vulnerable, users still are through weak privacy practices and use of third party trackers. Zoom's Privacy Policy is <a href="https://zoom.us/privacy#_Toc44414842">not assuring enough</a>.</p>
<p>👉️ They introduced end-to-end encryption, E2EE. Is it insecure encryption?<br>
AES-256 ECB algorithm used for E2EE is one of the greatest encryption algorithms out there. But it isn't enabled by default and enabling E2EE disables many features such as screensharing, which doesn't incentivise people to use E2EE. Both enterprise customers and teachers would want to use screensharing, thus not using E2EE.</p>
<p>👉️ They say Zoom encrypts every meeting by default. Are they lying?<br>
No, they are not. But they aren't telling the whole story either. When you start a Zoom meeting, your device establishes a connection to Zoom over <a href="https://en.wikipedia.org/wiki/Https#Security">HTTPS</a>. Meaning data is encrypted during transmission between you and Zoom. Data gets decrypted in Zoom and encrypted again before it goes to whoever you are meeting with. This is done because everybody in the meeting has different <a href="https://en.wikipedia.org/wiki/Session_key">session key</a> for encryption. Your meeting is apparent to Zoom, not hidden from it.</p>
<p>👉️ Zoom has faced <a href="https://en.wikipedia.org/wiki/Zero-day_(computing)" title="Learn about zero day attacks on Wikipedia">0-day attacks</a> which weren't fair.<br>
Not a question but I get your point. When a cyber security personal discovers a vulnerability, (s)he informs the vendor about the vulnerability in disguise and asks for bounty. Vendor checks if that is a legit vulnerability or a scam. Then they work together to fix the issue and vendor pays the bounty. Many companies have a <a href="https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html" title="Intel offers upto 100,000$">bug</a> <a href="https://hackerone.com/verizonmedia?type=team" title="Verizon offers upto 15,000$">bounty</a> <a href="https://www.microsoft.com/en-us/msrc/bounty" title="Microsoft offers upto 100,000$">program</a>.<br>
A cyber security personal may choose to release the vulnerability to public for it to be exploited by other people, which turns a vulnerability into zero day attack. This action incentivises vendor to fix that issue immediately since issue became well-known.<br>
Zoom had time since 2013 for testing its softwares properly. Proper testing would uncover those bugs before hackers did. Any company that is careless about security and privacy of its customers' deserves to be pinched to start acting.</p>
<p>What if I am forced to Zoom by my employer/school/family?<br>
Desktop/laptop users:<br>
1. Windows: Use virtual machine and apply one of the below Linux methods<br>
2. MacOS: Use virtual machine and apply one of the below Linux methods<br>
3. Linux: Install Linux Live image on a USB and boot into it everytime you need to Zoom. Install Zoom into that Live environment. Zoom will only be able to access what is in that Live environment. Shutting down a Live environment deletes everything that was installed in that session.<br>
4. Linux: <a href="https://ar.al/2020/06/25/how-to-use-the-zoom-malware-safely-on-linux-if-you-absolutely-have-to/" title="How to use the Zoom malware safely on Linux if you absolutely have to - Aral Balkan">Install Zoom into a firejail</a>, greatly limiting what it can reach.<br>
Mobile users:<br>
1. Android: <a href="https://www.howtogeek.com/333484/how-to-set-up-multiple-user-profiles-on-android/" title="This process maybe different for different brands">Create a restricted user</a> on your phone and install Zoom there. Not in your main user.
2. Android: If you can, use Zoom on Linux as described above.
3. iOS: Don't give it permissions if you don't need them. Don't let it run in background. Uninstall after using.
4. iOS: If you can, use Zoom on Linux as described above.</p>
<p>PS: I don't own a Mac, iPhone or Windows PC. But since Zoom on those platforms seem to be the affected most, I recommend everybody to use Zoom on Linux in a firejail if you absolutely have to.</p>
<p>I also wanted to read articles <a href="https://medium.com/@rowantrollope/beyond-the-noise-7-reasons-its-safe-to-run-zoom-9a2e639b13ec">that</a> <a href="https://blog.prialto.com/3-reasons-why-zoom-provides-the-best-video-conferencing-software">defend</a> <a href="https://www.forbes.com/sites/rebeccabellan/2020/03/24/what-you-need-to-know-about-using-zoom/#3cee9d0d3284">Zoom</a>. But they are mostly talking about Zoom's E2EE feature (that is not default), how people got creative with Virtual Background feature, Zoom's clean UI, ability to fake paying attention and its price. They either say nothing about Zooms privacy policy or even if they say something, it is not assuring in my opinion.</p>
<hr>
<h1>Jitsi</h1>
<p>Jitsi is an open source alternative to Video Calling (Conferencing) services. I will prove that Jitsi is much better than Zoom with only 1 sentence.</p>
<h1 style="text-align: center;">You can host Jitsi on your own server without relying on another entity</h1>
<p>You want more?</p>
<ol>
<li>Jitsi has Clean UI that is familiar to that of Zoom. </li>
<li>Jitsi <strong>doesn't</strong> have looping video feature which helps students or emplyees fake paying attention. </li>
<li>Jitsi is <strong title="Free Open Source Software">FOSS</strong> developed by <a href="https://8x8.com">8x8</a>. </li>
<li>
<p>Hosting Jitsi doesn't require a server with powerful CPU or GPU. Important resource is bandwidth. </p>
</li>
<li>
<p>Jitsi doesn't have virtual background but it instead has background blurring in development.</p>
</li>
</ol>
<p>👉️ Is it truely E2EE?<br>
<strong>This is what I understood from reading <a href="https://github.com/jitsi/jitsi-meet/issues/409#issuecomment-260652107">this threat</a>. Please correct me if I am wrong</strong><br>
Short answer is No.<br>
Long answer is: Just like in Zoom's case, connection between users and Jitsi VideoBridge (server) is encrypted. Server decrypts and encrypts everybody's stream for everybody else. But by having the control of Jitsi VideoBridge (server) by hosting it on your own server, you can assure that no other company/organization is holding your plain data except the recepient you are meeting with.<br>
That being said, Jitsi can establish P2P connection in rooms where there are only 2 people. This is a feature of WebRTC that Jitsi is built upon. It still <strong>isn't</strong> true E2EE.</p>
<p>👉️ Do anyone even use it?<br>
Glad you ask. Many companies banned use of Zoom and switched to alternatives such as Microsoft Teams, Skype, Hangout Meet and Jitsi. You probably won't see Jitsi's UI very often in the wild, but many companies use Jitsi VideoBridge as their backend for video conferences. Out of all the alternatives, only Jitsi allows self-hosting of server (Jitsi VideoBridge) AFAIK.</p>
<h2>How to install Jitsi server?</h2>
<p>I followed <strong>Nerd on the Street</strong>'s <a href="https://invidio.us/watch?v=IQRwtUamHQU">Host a Jitsi Meet Server</a> installation tutorial. It took about 30 minute of my time (I am a noob) to get the server running. It takes another 10 minutes to secure it.</p>
<hr>
<p>When I started this blog post, I expected to list 2 reasons not to use WhatsApp and Zoom then start talking about why Jitsi is the answer to my family's Group Video Calling needs. To fact check what I knew about about them (Zoom in particular) I searched them on <a href="https://en.wikipedia.org/wiki/Zoom_(software)" title="Read more about Zoom on WikiPedia">Wikipedia</a>. I learned much more than I expected. I am sorry for turning this post into "Rant of Zoom". I hope you learned a thing or two too.</p>
<hr>
<h3>Other side of the coin</h3>
<p>If you think I would be better of sticking to WhatsApp or Zoom, tell me more. Even though I read many negative things about Zoom, I will try my best to keep an open mind and hear people seeing other side of the coin. I am a human and can make mistakes. If there is something important I should know to better understand what is going on, please reply to comment toot linked below.</p><!-- Comments -->
<hr>
<h2>Comments</h2>
<p>Toot on <a href="https://fosstodon.org/@murtezayesil/104535970036319662">this thread</a> to comment. This blog is a static site. Comments won't appear here.</p>
</article>
</aside><!-- /#featured -->
<section id="content" class="body">
<h1>Other articles</h1>
<ol id="posts-list" class="hfeed">
<li><article class="hentry">
<header>
<h1><a href="https://murtezayesil.me/digital-cleansing-nextcloud.html" rel="bookmark"
title="Permalink to Digital Cleansing - NextCloud">Digital Cleansing - NextCloud</a></h1>
</header>
<div class="entry-content">
<footer class="post-info">
<span>Thu 16 July 2020</span>
<span>| in <a href="https://murtezayesil.me/category/tech.html">Tech</a></span>
<span>| tags: <a href="https://murtezayesil.me/tag/privacy.html">privacy</a><a href="https://murtezayesil.me/tag/nextcloud.html">nextcloud</a><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a></span> <span>| Day <strong>4</strong> of #100DaysToOffload</span>
</footer><!-- /.post-info --><p>This article reflects my opinions and experiences with few file server services.</p>
<p>TL;DR : I think NextCloud is a far superior product for the price.</p>
<p>Digital cleansing is about reowning personal data and regaining control over how it is processed. When I started digital cleansing, I wanted to start from where the most of my data is stored. There are 2 such services, Google Drive and Photos. I started by looking for <a href="https://alternativeto.net/software/google-drive/">alternatives</a>. OwnCloud and NextCloud seemed like <strong>affordable</strong> and <strong title="Free Open Source Software">FOSS</strong> alternatives that allow <strong title="Can be hosted on personal (or home) computer/server without relying on another service provider">self-hosting</strong>.</p>
<hr>
<h2>Owncloud</h2>
<p>I started my journey by renting a VM on Digital Ocean, droplet. I installed <a href="https://en.wikipedia.org/wiki/LAMP_(software_bundle)" title="Minimum set of softwares needed for a working web service">LAMP stack</a> and <a href="https://en.wikipedia.org/wiki/OwnCloud" title="File server service">OwnCloud</a>. As a new comer to OwnCloud, I started to click every button in every menu to discover and learn more about OwnCloud. <a href="https://marketplace.owncloud.com/">Marketplace</a>, a feature manager to add/remove more features, has many stuff that can appeal to enterprises and teams working from home. Next, I browsed the <a href="https://search.f-droid.org/?q=owncloud" title="Apps for OwnCloud on F-droid">available Android apps for OwnCloud</a>. To my surprise, there aren't many. I expected niche apps on Android for using niche features on marketplace. Instead, I would run into more <a href="https://search.f-droid.org/?q=nextcloud" title="Apps for NextCloud on F-droid">apps branded for NextCloud</a>. Meanwhile I updated the droplet, because updates are important, but ran into "kernel updates rendering server unbootable" kind of issues, I switched to Linode and NextCloud after strugling on Digital Ocean for a week.</p>
<p>Just like Owncloud's marketplace, NextCloud has its own "app store", I'd like to them "feature manager" instead because both marketplace and app store are used for en/disabling features on the platform. But NextCloud has niche apps for Android and I believe this provides more convenience to mobile users like myself.</p>
<hr>
<h2>NextCloud</h2>
<p>Since NextCloud is a file server in its core, it was the drop-in Google Drive &amp; Photos replacement I needed. It also has built-in <a href="https://en.wikipedia.org/wiki/WebDAV" title="Protocol for using remote file system over HTTP">WebDAV</a>, <a href="https://en.wikipedia.org/wiki/CardDAV" title="vCard (contact info) extension for WebDAV">CardDAV</a> and <a href="https://en.wikipedia.org/wiki/CalDAV" title="Calendar extension for WebDAV">CalDAV</a> support, which means I can use NextCloud as Google Contacts &amp; Calendar replacement as well and access files in native file manager as if it was a USB drive 🎉️</p>
<p>After enabling more services from feature manager (yes, I am sticking with this name) it also became my notes, tasks, bookmarks manager as well. All powered by a VM that costs 5$/month to run, +2$ for backup.</p>
<blockquote>
<p>One who loves roses should endure thorns - Turkish Proverb</p>
</blockquote>
<p>NextCloud is great. But just like every other artificial thing in this world, it isn't perfect. The biggest problem I face with it is the <strong>performance</strong> of web interface. It is written in PHP and being not compiled program is not doing any favors. Image preview loading can be called sluggish by many. Since I use mobile app most of the time which caches the previews, user experience isn't bad in my opinion.</p>
<hr>
<p><a href="https://kevq.uk" title="his blog">Kev Quirk</a> wrote a blog about his opinions and experiences with <strong title="My current choice of file server solution">NextCloud</strong> and <strong title="His choice of home server solution">Synology</strong>. This is my answer to <a href="https://kevq.uk/synology-vs-nextcloud-which-is-better-for-a-home-server/" title="Synology vs Nextcloud Which Is Better For A Home Server?">his blog</a>.</p>
<p>Synology's home server sound like a great product. I am happy for you and your family that your data is safe and accesible without giving up your privacy. After reading your blog, I wanted to try Synology as well. Upon seeing the price for <a href="https://www.newegg.com/synology-ds420/p/N82E16822108744" title="4 HDD bay NAS for home/small business use (disks not included)">Synology 420+</a> is 500$ and another 400$ for 4x <a href="https://www.newegg.com/seagate-ironwolf-st4000vn008-4tb/p/N82E16822179005" title="SeaGate NAS HDD">4TB HDD</a> for RAID 6, I believe NextCloud is the best choice I have. I am 1 student who has no movies, musics, 4K family photos or video project for YouTube channel to utilize TBs of storage not do I have budget for it. Under these requirements and constraints, I want to offer an alternative to Google to my family. Since I can't just ask for ~900$ for Synology, NextCloud on a VM is the best option I have. I still have option of increasing VM disk size or mounting external block storage as our storage needs grow.</p>
<p>It is nice that we have different perspectives on same topic. I wrote this answer because I wanted you to see from the eyes of a student living on pocket money and still afford for privacy of his and his family. May your Synology system last long and serve your family well 🙂️</p>
<hr>
<p>If you think Google services aren't that bad and I would be better off keep using Google services, <a href="https://tosdr.org/#google">here is my reasoning #1</a> and <a href="https://www.reuters.com/article/us-alphabet-google-privacy-lawsuit/google-faces-lawsuit-over-tracking-in-apps-even-when-users-opted-out-idUSKCN24F2N4" title="Google faces lawsuit over tracking in apps even when users opted out - Reuters">#2</a>. But if you still think that I should use Google services, tell me your reasoning and help me see your side of the coin. I would like to stay open minded.</p><!-- Comments -->
<hr>
<h2>Comments</h2>
<p>Toot on <a href="https://fosstodon.org/@murtezayesil/104521563799892039">this thread</a> to comment. This blog is a static site. Comments won't appear here.</p>
</article>
</aside><!-- /#featured -->
<section id="content" class="body">
<h1>Other articles</h1>
<ol id="posts-list" class="hfeed">
</footer><!-- /.post-info --> </div><!-- /.entry-content -->
</article></li>
<li><article class="hentry">
<header>

2
output/tag/self-hosting.html
View File

@ -40,7 +40,7 @@
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->

7
output/tags.html
View File

@ -40,15 +40,16 @@
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
<li><a href="https://murtezayesil.me/category/tech.html">tech</a></li>
</ul>
<div>
</header><!-- /#banner -->
<section id="content" class="body">
<h1>Tags for Ali Murteza Yesil</h1> <li><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a> (4)</li>
<h1>Tags for Ali Murteza Yesil</h1> <li><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a> (5)</li>
<li><a href="https://murtezayesil.me/tag/jitsi.html">jitsi</a> (1)</li>
<li><a href="https://murtezayesil.me/tag/nextcloud.html">nextcloud</a> (2)</li>
<li><a href="https://murtezayesil.me/tag/privacy.html">privacy</a> (4)</li>
<li><a href="https://murtezayesil.me/tag/privacy.html">privacy</a> (5)</li>
<li><a href="https://murtezayesil.me/tag/self-hosting.html">self-hosting</a> (1)</li>
</section>